Endpoint Privilege Management for Mac 21.1 Release Notes

February 9, 2021

New Features and Enhancements:

  • Smart cards can now be used to authenticate passive authorization dialogs. These are authorization dialogs which are displayed when PMfM either doesn't have a matching rule, or when the rule that is matched is configured as passive. Smart card enforcement is also supported in passive authorization dialogs.
  • Previous releases of PMfM would attempt to load both kernel extension and system extension when installing. In this release, PMfM will only load the recommended extension on the given macOS version. In addition, separate config profiles will be shipped depending on whether the customer needs to use kernel extensions or system extensions (macOS 10.15+).
  • Messages configured to allow either password or smart card authentication are now supported.
  • Messages configured to allow designated users and/or groups to authorize smart card messages are now supported.
  • Added smart card support for sudo commands.

Issues Resolved:

  • Resolved an issue which could cause two versions of the system extension to be activated when there should have been only one.
  • Resolved an issue which caused a 250 second delay when a user logs into PMfM for the first time.
  • Resolved an issue which allowed the audit log (/var/log/defendpoint/audit.log) to be readable by anyone. It is now readable only by its owner, root. This change prevents the log from being viewed using the Console application.
  • Resolved issue which caused installation packages to fail on Apple Silicon devices.
  • Resolved an issue associated with macOS 10.15 and 11.0 systems, and protected by SIP, that caused scripts to run passively when using a path that contained an intermediate parent directory reference.
    • /usr/local/../bin/zdiff is susceptible to the bug.
    • /user/bin/zdiff is not susceptible, as it does not contain a parent directory reference.
    • $TMPDIR/local/..bin/script.sh is not susceptible, because the path is not protected by SIP.

Compatibility:

  • Endpoint Privilege Management Policy Editor 21.1
  • Endpoint Privilege Management ePO Extension 5.7
  • Endpoint Privilege Management Console Adapter 2.4 SR2
  • BeyondInsight Adapter 5.6

If you have a business requirement to downgrade the Mac client, please first uninstall the currently installed version.

Supported Operating Systems:

  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave

Notes:

  • This version is compatible with both Intel and Apple Silicon Mac chips.