Design a Message in Privilege Management
You can configure the following aspects of a message:
- Message Header Settings
- User Reason Settings
- User Authorization
- Sudo User Authorization
- Challenge / Response Authorization
As you change the message options, click Update to see the changes. Program and content information is shown with placeholders.
After you configure the message options, you can configure message Text, which includes the ability to configure different languages.
The options here are preselected based on the type of message that you create, but can be overridden if required.
For more information, please see Use Message Text Options to Build Your Message.
Message Header Settings
The message header is shown highlighted here:
- Header Style: This is preconfigured. You can choose to remove the header entirely or select from one of the templates provided. Choose from:
- No Header
- BeyondTrustPrivilege Management Header
- Warning Header
- Question Header
- Error Header
- Show Title Text: This box is checked by default. You can uncheck it to remove the text adjacent to the icon if required.
- Text Color: This controls the color of the text adjacent to the icon. To change the color of the text, click the Custom option and select the color you require.
- Background Type: This option controls the color behind the text and icon. If you select Solid then only Color 1 is available for you to change. If you select Gradient then both Color 1 and Color 2 can be configured. If you select Custom Image then you can't configure the colors as you will upload a custom image in the next section.
- Custom Image: You can choose from one of a number of preset custom images or you can click Manage Image to upload one of your own. The recommended image size is 450 pixels wide and 50 pixels high.
- Color 1: Select the color for a Solid background or the first color for a Gradient background.
- Color 2: Select the second color for a Gradient background.
User Reason Settings
This option determines whether to prompt the end user to enter a reason before an application launches (Allow Execution message type) or to request a blocked application (Block Execution Message type).
You can choose to have a text box below the message to allow the end user to enter a reason. This is already selected for you for the Reason Required Message but you can override it here if required. Choose from Off or Text box in the Show User Reason Prompt dropdown. The predefined dropdown entries can be configured on the Message Text tab.
- Authorization Type: Select from None, User must authorize, or Designated user must authorize.
- User must authorize: Select to force the user to reenter their credentials and confirm they want to run the application.
- Designated user must authorize: Select to designate which users can authorize the message. Add users from Designated Users.
- Authentication Method: Select from Any, Password only, or Smart card only. Select Any to allow authentication using password or smart card / YubiKey authentication. When Password only is selected, a Username and Password field is added to the message. When smart card only is selected, a Username and PIN field is added to the message.
- Designated Users: If you select Designated user must authorize, click the ellipses (...) button to add the users who can authorize the message.
If you select a method that is not available to the user, then the user cannot authorize the message.
For more information about smart card authentication in Privilege Management for Mac, please see the Privilege Management for Mac Administration Guide.
Sudo User Authorization
You can use the Don't ask for password if already entered dropdown to control how frequently the user has to enter a password to use the sudo command. This text option is only enabled if the User Authorization has been set to User must authorize or Designated user must authorize. The available options are:
- Ask every time
- Less than 1 minute ago
- Less than 5 minutes ago
- Less than 15 minutes ago
- Only ask once per session
You can check the Enabled box for Challenge/Response Authorization to add a challenge code to the Message. This box is already checked if you selected a challenge Message. If you have already created a Workstyle with a challenge Message, then the policy will already have a challenge / response key. Select Change Key and enter a new challenge / response code twice to change it.
Enabled: Set this option to Yes to present the user with a challenge code. In order for the user to proceed, they must enter a matching response code. When this option is enabled for the first time, you will be prompted to enter a shared key.
You can click Edit Key to change the shared key for this message.
After the third failure to enter a valid response code, the message will be canceled and the challenge code will be rejected. The next time the user attempts to run the application, they will be presented with a new challenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.
For more information, please see Challenge / Response Authorization.