We’ve got a single, overarching goal when it comes to our local admin rights solution for macOS: we want to provide just as much protection, customization, and abilities for our Mac users, that we provide for our Windows users.
Our latest release adds a stack of core features to Admin By Request for macOS, making it the most feature-packed Privileged Access Management solution for Mac on the market, and bringing it closer than ever before to our Windows solution.
Here’s the latest on Admin By Request 3.2 for macOS.
New in 3.2
Version 3.2 introduces four more core features:
1. Break Glass / LAPS replacement feature – Break Glass creates a new, temporary, one-time-use Administrator account on an endpoint, that works on domains, Azure AD, and stand-alone, Audits all elevated activity, and terminates within a pre-defined amount of time or on log out.
2. Events and Alerting capabilities – Major events on endpoints are reported to the User Portal Inventory under a new ‘Events’ tab in the left-hand menu, such as updating Admin By Request, tampering attempts and administrative logons. Suspicious activity instigates an alert on the User Portal.
3. OPSWAT MetaDefender’s Cloud API malware protection – When a user requests to run a file, malware checks are performed on the file using 35+ anti-virus engines (including CrowdStrike Falcon ML, BitDefender, McAfee, and Kaspersky) before it is executed.
4. Application Blocklisting – Blocking / Blocklisting (previously ‘Blacklisting’) is now back on the feature menu for Admin By Request 3.2, now with the possibility to block based on application vendor within your User Portal.
The following minor updates have also been added:
- Diagnostics for technical support can be submitted from the Inventory without accessing the endpoint. Support will instruct users on how to do this when required.
- Universal time is collected from endpoints to show a unified time in your User Portal.
- Compatibility issues with Monterey v12.3. Monterey 12 were fixed in version 3.1.
- Also in v3.1, functionality was added to enable the Inventory to automatically update when a device is renamed.
Local Administrator Accounts
By default, users logging into a Mac are not downgraded from administrator to user unless the setting ‘Revoke admin rights’ is enabled in the portal and the user is not in the excluded accounts list. The reason all users are not downgraded immediately is because you may have service accounts that you have forgotten to list in the excluded accounts list. Also, if someone cleared the excluded accounts list and clicked ‘Save’ by mistake, the result would be unusable Mac endpoints; no users would be able to gain elevated privileges and would instead have very limited ability on their devices.
If a Mac is bound to an Active Directory, all local admin users will be downgraded unless listed in the excluded accounts setting. Admin By Request respects any group defined in the Directory Utility under "Allow administration by" and will not downgrade these users.
If no administrator groups are defined, the client will automatically grant administrator rights to members of the default Active Directory "Domain Admins" group. This is to prevent machines from ending up with no administrator accounts if the Active Directory binding is not setup correctly.
The portal has two levels of settings for mac users. Mac Settings apply to all users by default, unless overridden under Mac Sub Settings. With sub settings, you can define special settings based on Active Directory computer or user groups and/or Organizational Unit(s). This can be used to allow sudo access for developers or automatically approve requests from users in the IT department. This feature is only available if the mac is bound to an Active Directory or using NoMAD or Idaptive. Sub settings can also be used by specifying machine / user groups in the policy file. See Mac Policies
for more information.
For security reasons, sudo access is disabled during administrator sessions by default. This can be enabled in the settings or a policy file (see Mac Policies
). We do not recommend enabling sudo access unless absolutely necessary. Admin By Requests has checks in place to prevent system tampering using sudo, but due to the root-level access, it is impossible to fully protect against tampering using sudo. If only certain commands need to be run with sudo, consider using the build-in /etc/sudoers file. The Admin By Request sudo settings will not override normal /etc/sudoers settings.
Admin By Request does not require any system extensions, unless you enable the Application Blocking feature introduced in version 3.2. If you use Application Blocking or the App Store blocking, the kernal extension has to be pre-approved using the following data:
- Team ID: AU2ALARPUP
- Bundle ID: com.fasttracksoftware.adminbyrequest.extension
You can verify that the system extension is installed in the Inventory in your User Portal: under ‘System Information’ in the client inventory details, there is an entry that shows whether the system extension is installed or not.
You can use a local policy file to override all portal settings locally. Refer to Mac policies
for more information. Any setting defined in the policy file will override both default and sub settings. The policy file is locked during an Admin By Request administrator session, so users are unable to tamper policy settings.
To prevent tampering with Admin By Request, the software monitors all important files during an administrator session. And, by default, sudo access is disabled to prevent calling system critical tools and user management from the terminal. The service also monitors users and groups during the session to prevent tampering if sudo access is enabled. If Admin By Requests detects that the clock has been changed, the administrator session will be ended instantly to prevent users from extending their session.
In your User Portal, navigate to the Inventory page and select the device you want to perform the uninstall on. Select PIN Code from the left-hand menu, and choose the Uninstall Pin tab from the top menu in this page. Click the Generate PIN button, and copy the PIIN that is displayed. On the device you want uninstall Admin By Request on, select the Admin By Request icon from the top toolbar, and click About Admin By Request. In the System window, paste the PIN copied from your User Portal, and select Uninstall.
Removed in macOS Version 3.0 Onwards:
- Last Admin Check – no longer relevant, removed in 3.0 - the Last Admin Check feature is no longer relevant thanks to the addition of the PIN Code uninstall feature. The purpose of the Last Admin Check was to ensure that you always have at least one administrator account left, but is no longer necessary because you can now use PIN Code uninstall to remove the software on the endpoint and regain local admin rights (in the case of accidentally downgrading all users to standard user).
- Log Files – this service previously logged helpful information such as software version, detected Active Directory settings, admin downgrades, and similar changes to /var/log/adminbyrequest.log. It has been replaced in recent versions with functionality to submit diagnostics information from the About window, under Diagnostics.