Least Privilege Management for Mac OS

Typically, every Mac® user receives local administrator access or knows the administrator account password by default. This can create serious security, compliance and operational challenges for desktop and operations teams. Given the proliferation of corporate-supported Macs and Bring Your Own Device (BYOD) programs, it’s clear that IT organizations face a growing problem. Until now, there has been no effective or efficient solution to address the problem of OS® users with excessive privileges.

How can IT organizations efficiently remove Mac administrator rights and enforce least privilege without impacting Mac user productivity?

Least Privilege and Application Control for Mac OS

BeyondTrust® PowerBroker® for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS to successfully perform administrative tasks without entering elevated credentials. With PowerBroker for Mac, IT organizations can easily enforce least privilege policies and close security gaps, while improving operational efficiency, and achieving compliance and regulatory objectives.

Other least privilege solutions for Mac are command-line driven and awkward to use in conjunction with similar solutions for Windows desktops. PowerBroker for Mac makes least privilege management for OS simpler while offering the same UI experience as PowerBroker for Windows and PowerBroker for Unix & Linux.

PowerBroker for Mac - How It Works

Key Capabilities

Least privilege made simple

Monitor application launches on Apple Mac®, Macbook®, Macbook Pro®, Macbook Air®, or Xserve® and elevate them to the proper permissions without prompting for administrator credentials.

Extensive rule library speeds results

Reduce risk on Mac OS assets immediately with rules for more than 40 of the most popular applications that require privileges from Microsoft, Adobe, Apple and VMware. Define custom rules based on application and path, or Shell Rule.

Centralized policy management across all platforms

Centrally manage all policies via web services, or hosted locally for air-gapped implementations.

Policy editor enhances productivity

Minimize the number of products needed to manage least privilege across all endpoints through the PowerBroker Policy Editor. Enhance IT productivity by providing the same user experience for both Windows and Mac.

Least privilege in heterogeneous environments

Utilize PowerBroker PAM Platform to manage least privilege in a unified control panel across all Windows, Mac, Unix and Linux environments.

Key Features


  • Allow Admin access where needed: Default all Mac users to standard privileges, while enabling elevated privileges for specific applications and tasks without requiring full administrative credentials.
  • Block malicious activity: Enforce restrictions on software installation, usage and Mmc OS configuration changes.


  • Flexible policies: Create privileged identity policies to selectively target applications, installers, auto updates, and system preferences for application-based elevation. Deploy hosting policies via web services for PowerBroker for Mac clients (as well as PowerBroker for Windows clients).
  • Single policy across multiple environments: Enable a single policy to manage privileged applications and Windows guests for OS users of BootCamp, VMware Fusion, Parallels, or Virtual Box for complete management of multi-operating system asset implementations.
  • Smart rules: Match applications to rules automatically based on asset-based policies. Leverage smart rules for alerting and grouping of OS devices and events.
  • Identity-based management of policy: manage access policy by a variety of parameters, including: security group, user name, computer name, IP Range, and user type (Admin/Domain/Local).


  • Automatic logging for visibility: Log all privileged events automatically for complete visibility and reporting through web services hosted on the unified PowerBroker Privileged Access Management platform.
  • Extensive reporting: Deliver dedicated asset views for asset inventory and privilege event detection and elevation.
  • Understand and communicate risk: Leverage an interactive, role-based reporting and analytics console, backed by a centralized data warehouse for ongoing audits of privilege management activities.


  • Simplify the user experience: Eliminate the need for end users to require two accounts, or administrative credentials, to perform privileged tasks.
  • Ensure adoption and usability: Provide a modern, easy-to-use interface for end-users, plus an innovative dashboard for solution owners.


PowerBroker for Mac supports Mac OS Yosemite, El Capitan and Sierra.

Read the complete Data Sheet!

Download Now