Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Protecting Mac OS X from Privilege Elevation Attacks and Related Endpoint Security Risks current page
Link copied

Protecting Mac OS X from Privilege Elevation Attacks and Related Endpoint Security Risks

Resource default
Protecting Mac OS X from Privilege Elevation Attacks and Related Endpoint Security Risks

Get Instant Access to this Content

Learn more about how to secure your business from threats in places you didn't even know existed.

Study after study is showing the growth of Macs in the enterprise. At its core Mac is just another flavor of Unix and the bad guys don’t care what your users are running. More over, I would propose that your Mac users tend to be among the most desirable targets at your organization – not because they use a Mac – but because critical knowledge workers and decisions makers – the folks with access to your most critical information and resources – often prefer Macs and have the organizational clout to justify a more expensive endpoint or to simply buy their own.

So it's time to pay attention to Mac OS X security – in particular least privilege. By default users run with root authority. You might as well forget everything else you do in terms of endpoint security if your end-users are running with full, uncontrolled root access.

Apple agrees. Note this excerpt from the Mac Developer Library which recommends you to “log in as an administrator only when performing the rare tasks that require admin privileges. Because the default setting for OS X is to make the computer's owner an administrator, you should encourage your users to create a separate non-admin login and to use that for their everyday work. In addition, if possible, you should not require admin privileges to install your software.”

If that sounds like déjà vu then you have probably had to deal with very similar challenge in Windows. Obviously it’s impractical to expect users to follow time consuming and intrusive least privilege procedures on their own. It just won’t happen.

The traditional way to implement least privilege on UNIX is with sudo but sudo is targeted at the command line based UNIX sysadmin not an end user of a GUI based system like a Mac. So even though OS X supports sudo its applicability to this problem is very limited at best.

In this webinar Randy Franklin Smith explores the issues and features in OS X related to least privilege. He'll show the steps Apple has taken so far to help you prevent end-users from running with root authority without breaking the “it just works” Apple experience they expect or hindering their productivity. And you'll learn what operations in OS X really require admin authority such as:

  • manipulating file permissions, ownership
  • creating, reading, updating, or deleting system and user files
  • opening privileged ports (those with port numbers less than 1024) for TCP and UDP connections
  • opening raw sockets
  • managing processes
  • reading the contents of virtual memory
  • changing system settings
  • loading kernel extensions

And you'll see what breaks when you try to run an end-user as a non-root account and what your options are to fix their experience.

Beyond just controlling root access there is the need to control what applications users can open and what areas of the system they can modify. Not to mention the need for visibility and auditing on how Mac endpoints are being used.

Latest
  • Mapping BeyondTrust Capabilities to the Operational Technology Cybersecurity Controls (OTCC)
    May 14, 2026 Mapping BeyondTrust Capabilities to the Operational Technology Cybersecurity Controls (OTCC)
    Resources
    1m
  • BeyondTrust Executive Summary
    Feb 25, 2026 BeyondTrust Executive Summary
    Resources
    1m
Related
  • ARC View: Industrial Connected Workers Require Zero Trust
    Nov 15, 2021 ARC View: Industrial Connected Workers Require Zero Trust
    Resources
    1m
  • Top 10 Expert Tips for Securing Vendor & Remote Employee Access
    Mar 25, 2019 Top 10 Expert Tips for Securing Vendor & Remote Employee Access
    Webinars
    61m
Share this Article
  • Link

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.