Endpoint Privilege Management for Mac 21.3 Release Notes

May 27, 2021

New Features and Enhancements:

  • We now support multi-factor authentication (MFA) using an identity provider via OpenID Connect (OIDC). This can be configured using the Microsoft Management Console (MMC) Policy Editor.

    Privilege Management for Mac does not support OIDC for Sudo messaging, and Sudo commands which are configured to show an OIDC message are blocked.

  • As part of the identity provider feature above, we added support to configure the type of logic used for authentication and authorization message components. For example, Designated user or challenge response. Existing policies continue to behave the same: the logic between message components defaults to and logic.
  • The status menu now has a context menu to show users the client version, computer name, policy source, and policy version. If the policy source is BeyondInsight, we also allow the user to attempt to force a policy update rather than having to wait for the configured poll time.

Issues Resolved:

  • Resolved an issue in which EndpointSecurity occasionally sent a repeat package open request to defendpointd at the moment the request was denied.

Known Issues:

  • The new identity provider authentication feature's audit events for authorization requests do not contain the email address used to authenticate. This will be resolved in 21.4.


  • Endpoint Privilege Management Policy Editor 21.3
  • Endpoint Privilege Management ePO Extension 21.1
  • Endpoint Privilege Management Cloud Adapter 21.3
  • BeyondInsight Adapter 21.3

If you have a business requirement to downgrade the Mac client, please first uninstall the currently installed version.

Supported Operating Systems:

  • macOS 11.0 - 11.3 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave