Privilege Management for Mac 5.5 Release Notes

November 5, 2019

New Features and Enhancements:

  • Script control: The ability to control scripts via a new Application Type (Script Type). This will allow system administrators to apply application rules on scripts, to allow the installation and management of development tools (i.e. Homebrew).

Issues Resolved:

  • Resolved an issue where custodian re-writes custodian.plist even if one exists with custom content.
  • Resolved an issue where TimeZoneAdminTool triggers a "(null)" auth as root which causes a loop in AV plugin.
  • Resolved an issue where root processes using AEWP caused loss of focus due to security agent appearing in separate security session.
  • Resolved issue where uninstalling 5.4.51 does not release auth rights correctly leaving ignored rights in DB in a poor state.
  • Resolved issue where every time Privilege Management is installed a new _avectodaemon is added to the HiddenUsers array in Defaults.
  • Resolved issue where authorization plugin string values were not NULL terminated.
  • Resolved issue where the sudo plugin becomes unusable when editing account permissions.
  • Resolved issue where 'Copying' progress bar has issues with determining the size of large files.
  • Resolved issue where Privilege Management GUI not loading in some instances.
  • Resolved issue where Policy Invalid event not generated.
  • Resolved issue where MonitorBase doesn't always clean up its process hashes.

Known Issues:

  • Privilege Management finder extension can fail to load correctly on installation. This can be enabled manually by the end user or deployment of a script.
  • AEWP can cause the authorization plugin to restart constantly.
  • ?* auth req URI wildcarding can match on empty strings.
  • Unable to control authorizations from GarageBand updater.
  • Unable to control authorization from xcode that adds users to the _developer group. This can be done via a deployed script or on the endpoint using a command.
  • Unable to effectively control authorization prompts triggered via AEWP / Security_AuthTrampoline. AEWP is a deprecated function.

Catalina Known Issues:

  • Cannot control auth prompt where Standard User installs apps through the app store. The application will install regardless of user interaction.
  • Cannot control auth prompt for Console.app when run as Standard User. Standard Users can still use the CaptureConfig utility for collecting logs for support.
  • Unable to suppress Privilege Management enabling notification messages when the user first logs in after installation.

Compatibility:

  • Privilege Management Policy Editor 5.5
  • Privilege Management ePO Extension 5.5
  • Privilege Management Console Adapter 2.4.44323.0
  • BeyondInsight Adapter 5.4

If you have a business requirement to downgrade the Mac client, please first uninstall the currently installed version.

Supported Operating Systems:

  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra

Notes:

  • Privacy Preferences Policy Control (PPPC) prompts can be suppressed via a deployable MDM profile. BeyondTrust can provide the profile to customers.
  • For standard users to use Homebrew effectively, you must download the Homebrew script and remove the following lines:

    • elsif ! `dsmemberutil checkmembership -U "#{ENV[ "USER" ]}" -G admin `.include?("user is a member")

    abort "This script requires the user #{ENV[ "USER" ]} to be an Administrator."