262-299-4600 • Email us

Policies on Mac

Settings in the Admin By Request client application are controlled under "Mac Settings" in the "Settings" menu, when signed in to the portal. If you for what-ever reason want to overrule these settings on specific clients, you can set overruling policies in a policy file.


Please note that we do not recommend that you use a policy file to control client behavior. Instead, we recommend that you use portal settings and sub settings for better transparency and for real-time control of computers off your LAN. If you have any questions about portal settings or would like a demo of these, please feel free to contact us.

Overruling portal settings

To overrule portal settings with a policy file, edit this file:

/Library/Application Support/Admin By Request/adminbyrequest.policy

Note that this file is protected during administrator sessions and can therefore not be hacked by end-users. The file is in json format and has an example non-used setting by default, as shown below. Simply add more settings from the table below to overrule web settings.

{
      "ExampleSetting": "ExampleValue"
}


KeyTypeDefaultDescription
AdminMinutesInteger15Number of minutes the user is administrator. This can also be set in your portal settings.
AllowAppStoreBoolean1Allow users to install software from the App Store without admin rights or an active Admin By Request session.
AllowSudoBoolean0Allow users to run sudo commands. Should not be enabled unless there is a good reason to, because it allows the user to tamper the endpoint software.
CompanyNameStringOverrules the company name that appears on user interfaces, which is by default the licensed company name.
ComputerGroupsArray of StringsComputer groups to match machine to sub settings when not using Active Directory.
DockIconBoolean1Place an icon in the dock.
ExcludedAccountsArray of stringsList of accounts that will not be downgraded to user role, such as service accounts.
EnableSessionsBoolean1User can request an admin session.
EnableAppElevationsBoolean1User can authenticate apps without session.
InstructionsStringBody text on Code of Conduct ("Instructions") screen.
InstructionsHeaderStringHeader text on Code of Conduct ("Instructions") screen.
LogoUrlStringUrl to download logo from. If not specified, default icons will be used.
RemoveRightsBoolean1Downgrade users from Admin to User, unless the account is in excluded accounts or is a domain administrator in on a domain joined Mac.
RequireApprovalBoolean0Elevate without requiring someone to approve requests.
RequireReasonBoolean1Require reason to elevate.
RequireAppApprovalBoolean0Elevate Run As Admin without requiring someone to approve requests.
RequireAppReasonBoolean1Require reason to Run As Admin.
ShowInstructionsBoolean0Show Code of Conduct screen.
UploadInventoryBoolean1Upload inventory data to the portal.
UserGroupsDictionary with array of stringsUser groups to match machine to sub settings when not using Active Directory.

Overruling groups for subsettings

With the addition of the ComputerGroups and UserGroups keys in macOS version 3.0, see the example below:

{
      "ComputerGroups": ["Accounting", "USA"],
      "UserGroups": {
          "jane": ["Developers", "Germany"],
          "john": ["Accountants"],
}





LATEST CYBERSECURITY BLOGS

Secure By Design Series - Part 2

In this blog, PowerON’s Steve Beaumont continues his delve into Admin By Request's Privileged Access Management (PAM) solution, this time focusing on sub-settings, application elevation tools, and auditing capabilities.

Dear Hacker, Better Luck Next Time.

There's no denying that hackers are good. We see this reflected in the frequent cyberattack stories that populate the news channels almost daily - most recently, the Lapsus$ attack on Okta. What we don't hear so much about? That Privileged Access Management software is better.

Revoke: No Big Deal, No Big Squeal

Adopting a less ‘pig-headed’ approach to removing Local Admin rights from staff will always return happier project outcomes.