Manage Disk Mounted Images in Privilege Management for Mac

Privilege Management for Mac examines each Disk Mounted Image (DMG) and, if there is one or more bundles of applications in the disk image, where the application is associated with a Privilege Management Allow rule, the user is allowed to copy those bundles to the System Applications folder on the endpoint.

If the applications do not have an Privilege Management Allow rule, macOS defaults to requiring admin credentials in order to copy the bundle to the System Applications folder. Standard macOS functionality is used if anything other than an Allow rule is associated with the application bundle in the DMG, such as Block or Passive.

Configuration of the defendpoint.plist File

Management of DMGs is controlled by default, but it can be turned off by editing the defendpoint.plist file.

The location for the defendpoint.plist file is: /Library/Application Support/Avecto/Defendpoint/defendpoint.plist

The MountAssist key, which is set to true by default, should be set to false to turn off the Privilege Management for Mac management of DMG files:

<key>MountAssistant</key>
<false/>

You need to restart the defendpointd daemon after you have edited the defendpoint.plist file for any changes to take effect. This can be done either by restarting the machine or by running these commands from your terminal:

sudo launchctl unload /Library/LaunchDaemons/com.avecto.defendpointd.plist
sudo launchctl load /Library/LaunchDaemons/com.avecto.defendpointd.plist

Format of Messages

Within the defendpoint.plist file in the key tag you can also modify the string that is used for the messaging.

The format of the messages is a key and string tag:

<key>MountMessageAllow</key>
<string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" to Applications?</string>

The following placeholders can be used:

  • [APP_NAME]
    • Replaced by the Application Name.
  • [MOUNT_NAME]
    • Replaced by the Volume Name of the mounted DMG.

When you enter your own strings for the above keys, the formatting is "what you see is what you get." For example, if you press Enter, then you will get a new line.

You can configure the message that is displayed to the user at the endpoint in the following scenarios:

  • MountMessageAllow:Message that appears when a DMG containing an allowed bundle is mounted.
  • MountMessageNoteSame: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed, but the same version exists in the destination.
  • MountMessageNoteNewer: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed but a newer version of the bundle exists in the destination.
  • MountMessageNoteOld: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed but an older version of it exists in the destination.
  • MountNotificationSuccess: Message that appears in the macOS notification center when the copying process succeeds.
  • MountNotificationFailure: The message that appears in the macOS notification center when the copying process fails.

If the message keys above have not been set, Privilege Management for Mac uses the default values and strings.

If you enter the <key> but do not specify the <string>, then the message will be empty.

You must use escaped characters for valid XML, such as in the examples below:

Symbol Escaped Form
" &quot"
& &amp"
&apos"
< &lt"
> &gt"

Message Examples

The following examples show sample messages in the defendpoint.plist file.

<key>MountMessageAllow</key>
   <string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" to Applications?</string>
<key>MountMessageNoteSame</key>
   <string>Note: same version of the item named "[APP_NAME]" already exists in this location.</string>
<key>MountMessageNoteNewer</key>
   <string>Note: a newer version of the item named "[APP_NAME]" already exists in this location.</string>
<key>MountMessageNoteOlder</key>
   <string>Note: an older version of the item named "[APP_NAME]" already exists in this location.</string>
<key>MountNotificationSuccess</key>
   <string>"[APP_NAME]" was successfully copied from "[MOUNT_NAME]" into the Applications older.</string>
<key>MountNotificationFailure</key>
   <string>"[APP_NAME]" was not successfully copied from "[MOUNT_NAME]" into the Applications folder.</string>