Documentation

Endpoint Software > macOS Client.

Documentation Menu

Jump to:

Admin By Request Version 4.0 for macOS is here, adding new and improved core features including application Pre-Approval and Run as Admin. Download it today and kick the year off with comprehensive cybersecurity across all operating systems.

 
10 years ago, macOS held roughly a 7% market share in operating systems worldwide according to Statcounter Global Stats. Today it’s sitting at around 14%. Where will it be in another 10 years? If the current trend is anything to go by, our estimate is around the 28% mark.
 
The number of macOS devices in enterprise is increasing, and the number of security products for those devices needs to do so at the same rate. When it comes to our local admin rights solution for macOS, we want to provide just as much protection, customization, and abilities for our Mac users, that we provide for our Windows users, which means offering the same comprehensive feature set to all our customers, regardless of operating system.
 
Version 3.2 brought the Break Glass/LAPS replacement feature, Events and alerting capabilities, integration with OPSWAT’s MetaDefender Cloud API, and application Blocklisting. Version 4.0 adds four more features to the set, making it the most feature-packed Privileged Access Management (PAM) solution for Mac on the market, and bringing it closer than ever before to our Windows solution.
 

New in 4.0

With v4.0 comes upgraded Pre-Approval, a more comprehensive, efficient, and intuitive Run as Admin feature, Machine Learning Auto-Approvals, and support for Azure AD groups for use in Sub-Settings. Read the details below.
 
 

Pre-Approval

Pre-Approval (known sometimes as Whitelisting) refers to the method of working out which applications are frequently used and trusted, and adding them to a list which automatically allows users to elevate them when they need to (essentially the opposite to Blocklisting/Blacklisting – creating a list of applications which cannot be elevated). This method of ‘allow most, deny some’ has proven extremely resource-efficient for large enterprises compared to the method of denying all apps and only allowing elevations on a case-by-case basis.
 
Admin By Request v4.0 for macOS now allows for Pre-Approval of trusted applications. Once an application has been installed with Admin By Request, navigate to its corresponding entry in your User Portal Auditlog, expand on the entry, and select Pre-approve this file next to Pre-Approve (in the Actions section):
 
 
The list of Pre-Approved applications can be found under Settings > Mac Settings > Applications > Pre-Approval:
 
 
 
Pre-Approval is based on the application vendor or checksum.
 
You can also use the following commands to get the vendor’s name for the files for Pre-Approval, without having to use the Auditlog in your User Portal:
 

For applications (.app):

 
  • Command: codesign -d -vv /path/app.app
  • Result: Authority=Developer ID Application: VideoLAN (75GAHG3SZQ)
 

For packages (.pkg):

 
  • Command: pkgutil –check-signature /path/app.pkg
  • Result: Developer ID Installer: Oracle America, Inc. (VB5E2TV963)
 
Where VideoLAN (75GAHG3SZQ) and Oracle America, Inc. (VB5E2TV963) are the vendors.
 
 

Run as Admin

The core Admin By Request Run as Administrator feature which allows for the elevation of a single application is new and improved in version 4.0. This feature negates the need for uses to initiate an Admin Session (i.e., an extended period of time during which the user has elevated privileges on the device) to simply install on program. Elevating a single file is the much safer option compared to elevating the user’s privileges across the endpoint.
 
Previously only supporting package files (.pkg), this feature now supports application (.app) files. Once you’ve downloaded the file for installation, drag and drop it over the Admin By Request Dock icon. A pop-up will appear asking for your credentials – simply enter them and hit Ok to Run the installer as Admin.
 
Watch the GIF below to see it in action:
 
 
 

Machine Learning

The idea behind Machine Learning Auto-Approval is to kill two birds with one stone by allowing customers to build a Pre-Approved list as their employees use the software. This removes the need for enterprises to spend considerable amounts of time and effort figuring out and manually configuring which applications should be pre-approved ahead of time.
 
Instead, it allows you to create a simple rule that says, ‘if approval for an application elevation occurs X amount of times, that application is now automatically approved from then on’. This allows the system to handle creating the list of applications that are safe for approval, as applications are used.
 
Read the full documentation here.
 
 

Azure AD Support

A huge selling point for Admin By Request PAM solution is its flexibility and tools for granular access control; organizations can configure every setting to their specific needs and the needs of all, some, or individual users. Settings act as rules, such as whether the Run as Admin or Admin Session features are enabled, and whether or not users need approval to use them. You likely wouldn’t want the rules applied for an IT Administrator to be the same as those applied for a Customer Relations employee, so settings can be differentiated based on Sub-Settings, which allow different rules to be applied to different users and/or groups.
 
With macOS v4.0, we’ve built in support for Azure AD groups, meaning you can now apply Sub-Settings to existing Azure AD user and device groups.
 
Get this feature working using our Azure AD Connector integration, found under Settings > {OS Settings} > Authorization > Azure AD:
 
 
Read the documentation for the Azure AD Connector here.
 
The connector configuration is shared between Windows, macOS and Linux, so if you’ve already configured it for Windows, it does not need to be re-configured for macOS.

Prerequisites

Before you get macOS v4.0 up and running, you need to ensure Admin By Request has full disk access on your Mac endpoints.

Enable Full Disk Access (FDA)

Immediately after installation, FDA must be enabled to allow Admin By Request to fully protect Mac endpoints.

NOTE: The adminbyrequest application must be installed first, so that it appears in the list of apps available under Full Disk Access.

The following procedures describe three ways to enable FDA:

  • (1) On the Mac (for macOS 12 and macOS 13)
  • (2) Using Jamf
  • (3) Using Intune

(1) Enabling FDA on the Mac

The procedure to enable FDA is slightly different for different macOS versions. The following steps describe how to enable FDA on Apple Macs running:

  • macOS 12 (Monterey)
  • macOS 13 (Ventura)

macOS 12 (Monterey)

  1. On your Mac device, navigate to System Preferences > Security & Privacy > Privacy tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.
  2. Select adminbyrequest in the list of apps (ensure the box is checked):
  3. Lock the tab to save changes.

macOS 13 (Ventura)

  1. On your Mac device, navigate to System Settings > Privacy & Security and select Full Disk Access from the list. You’ll need to supply your password to make changes.
  2. Select adminbyrequest in the list of apps (ensure the box is checked):
  3. Close System Settings.

(2) Enabling FDA using Jamf

Jamf uses Configuration Profiles to manage Mac endpoints:

  1. In Jamf, go to Computers > Configuration Profiles.
  2. Create a new profile and configure it as follows:
    1. Name: give the profile a name that helps explain what application it is giving rights to. In this example, we use ABR – PPPC.
    2. Category, select Applications.
    3. Distribution Method, select Install Automatically.
    4. Level, select Computer Level.
    5. Navigate from the General tab to the Privacy Preferences Policy Control
    6. Identifier, enter /Library/adminbyrequest/adminbyrequest.
    7. Identifier Type, select Path.
    8. For Code Requirement, enter the following exactly as stated below
      (Tip: copy/paste this text to ensure accuracy):

identifier “com.fasttracksoftware.adminbyrequest” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP

IMPORTANT: If you do not enter the above code correctly, this procedure for enabling FDA will not work properly.

  1. Under App or Service, select SystemPolicyAllFiles and under Access, select Allow:

  1. Under App or Service, select Accessibility and under Access, select Allow:

  1. Save the profile.
  2. Deploy and use this profile to enable FDA for all your macOS endpoints.

(3) Enabling FDA using Intune

Similar to Jamf, Intune uses Configuration Profiles to manage Mac endpoints:

  1. In Intune, under Configuration Profiles, select Create Profile.
  2. Enter the following details into the Create a Profile form:
    • Platform: macOS
    • Profile type: Templates
    • Template name: ABR – FDA
  4. Click Create.
  5. Under Device restrictions, go to Configuration settings.
  6. Select Privacy preferences and click Add:

(3) Enabling FDA using Intune, Continued

  1. In the Edit Row form, enter the following:
    • Name: ABR – FDA
    • Identifier type: Path
    • Identifier: /Library/adminbyrequest/adminbyrequest
    • For Code Requirement, enter the following exactly as stated below
      (Tip: copy/paste this text to ensure accuracy):

identifier “com.fasttracksoftware.adminbyrequest” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP

IMPORTANT: If you do not enter the above code correctly, this procedure for enabling FDA will not work properly.

Here is an example of the completed Edit Row form:

  1. Finally, allow Full disk access:

macOS How-Tos:

This section covers the steps involved to use other key features on a macOS endpoint.
  • Admin Session – To gain full administrator privileges on the endpoint for a period of time, either select the Admin By Request icon from the top toolbar, or locate and click the app icon from the Dock or Launchpad. Follow the prompts, wait for approval (if configured), and the session will commence, indicated by the timer in the bottom right-hand corner of your desktop.
  • Events & Alerting – Events are automatically sent to your User Portal; navigate to Inventory from the top menu, and select Events from the left-hand menu of the Inventory page.
  • PIN Code Uninstall – In your User Portal, navigate to the Inventory page and select the device you want to perform the uninstall on. Select PIN Code from the left-hand menu, and choose the Uninstall Pin tab from the top menu in this page. Click the Generate PIN button, and copy the PIIN that is displayed. On the device you want uninstall Admin By Request on, select the Admin By Request icon from the top toolbar, and click About Admin By Request. In the System window, paste the PIN copied from your User Portal, and select Uninstall.
  • Break Glass Account – See documentation here.
 
 

Technical Info

Local Administrator Accounts
By default, users logging into a Mac are not downgraded from administrator to user unless the setting ‘Revoke admin rights’ is enabled in the portal and the user is not in the excluded accounts list. The reason all users are not downgraded immediately is because you may have service accounts that you have forgotten to list in the excluded accounts list. Also, if someone cleared the excluded accounts list and clicked ‘Save’ by mistake, the result would be unusable Mac endpoints; no users would be able to gain elevated privileges and would instead have very limited ability on their devices.
 
 
Active Directory
If a Mac is bound to an Active Directory, all local admin users will be downgraded unless listed in the excluded accounts setting. Admin By Request respects any group defined in the Directory Utility under “Allow administration by” and will not downgrade these users.
 
 
 
If no administrator groups are defined, the client will automatically grant administrator rights to members of the default Active Directory “Domain Admins” group. This is to prevent machines from ending up with no administrator accounts if the Active Directory binding is not setup correctly.
 
Sub-Settings
The portal has two levels of settings for mac users. Mac Settings apply to all users by default, unless overridden under Mac Sub Settings. With sub settings, you can define special settings based on Active Directory computer or user groups and/or Organizational Unit(s). This can be used to allow sudo access for developers or automatically approve requests from users in the IT department. This feature is only available if the mac is bound to an Active Directory or using NoMAD or Idaptive. Sub settings can also be used by specifying machine / user groups in the policy file. See macOS Policies for more information.
 
Sudo
For security reasons, sudo access is disabled during administrator sessions by default. This can be enabled in the settings or a policy file (see macOS Policies). We do not recommend enabling sudo access unless absolutely necessary. Admin By Requests has checks in place to prevent system tampering using sudo, but due to the root-level access, it is impossible to fully protect against tampering using sudo. If only certain commands need to be run with sudo, consider using the build-in /etc/sudoers file. The Admin By Request sudo settings will not override normal /etc/sudoers settings.
 
System Extension
Admin By Request does not require any system extensions, unless you enable the Application Blocking feature introduced in version 3.2. If you use Application Blocking or the App Store blocking, the kernal extension has to be pre-approved using the following data:
 
  • Team ID: AU2ALARPUP
  • Bundle ID: com.fasttracksoftware.adminbyrequest.extension
 
You can verify that the system extension is installed in the Inventory in your User Portal: under ‘System Information’ in the client inventory details, there is an entry that shows whether the system extension is installed or not.
 
Machine Settings
You can use a local policy file to override all portal settings locally. Refer to macOS Policies for more information. Any setting defined in the policy file will override both default and sub settings. The policy file is locked during an Admin By Request administrator session, so users are unable to tamper policy settings.
 
Tampering
To prevent tampering with Admin By Request, the software monitors all important files during an administrator session. During a session, access to the Users & Groups preference panel is disabled to prevent users from adding new administrators. And, by default, sudo access is disabled to prevent calling system critical tools and user management from the terminal. The service also monitors users and groups during the session to prevent tampering if sudo access is enabled. If Admin By Requests detects that the clock has been changed, the administrator session will be ended instantly to prevent users from extending their session.
 
Uninstall
In your User Portal, navigate to the Inventory page and select the device you want to perform the uninstall on. Select PIN Code from the left-hand menu, and choose the Uninstall Pin tab from the top menu in this page. Click the Generate PIN button, and copy the PIIN that is displayed. On the device you want uninstall Admin By Request on, select the Admin By Request icon from the top toolbar, and click About Admin By Request. In the System window, paste the PIN copied from your User Portal, and select Uninstall.
 
 

Removed in macOS Version 3.0 Onwards:

  • Last Admin Check – no longer relevant, removed in 3.0 – the Last Admin Check feature is no longer relevant thanks to the addition of the PIN Code uninstall feature. The purpose of the Last Admin Check was to ensure that you always have at least one administrator account left, but is no longer necessary because you can now use PIN Code uninstall to remove the software on the endpoint and regain local admin rights (in the case of accidentally downgrading all users to standard user).
  • Log Files – this service previously logged helpful information such as software version, detected Active Directory settings, admin downgrades, and similar changes to /var/log/adminbyrequest.log. It has been replaced in recent versions with functionality to submit diagnostics information from the About window, under Diagnostics.
 

Summary

This latest update for macOS brings a heap of our staple Admin By Request features – previously only available for Windows users – to the table for macOS.
 
Download Admin By Request 4.0 for Mac for a comprehensive, flexible, simple, and effecting Privileged Access Management experience, unified across multiple operating systems. Existing customers can find it in their User Portal, under Top Menu > Download > Download Client for Mac. New users can get it for free on our lifetime Free Plan at this link.
 
 

Policies on Mac

Visit the macOS Policies page for more info.
 
 

Questions?

If you have any questions that haven’t been answered on this page, please contact us using the chat or the contact menu at the top of the page.