Policies for macOS

About Policies

Settings in the Admin By Request client application are controlled under “Mac Settings” in the Settings menu, when logged in to the portal. If, for whatever reason, you want to overrule these settings on specific clients, you can set overruling policies in a policy file.

To overrule portal settings with a policy file, edit this file:

   /Library/Application Support/Admin By Request/adminbyrequest.policy

Note that this file is protected during administrator sessions and therefore cannot be hacked by end-users. The file is in json format and has an example non-used setting by default, as shown below. Simply add more settings from the following table to overrule web settings.

Copy
{
    “ExampleSetting”: “ExampleValue”
}

Also note that any change to the policy file will take effect after the next reboot. Alternatively, if a policy change must take effect immediately without a reboot, an admin user or MDM can restart the service using:

   sudo killall adminbyrequest.

Key

Type

Default

Description

AdminMinutes

Integer

15

Number of minutes the user is administrator. This can also be set in your portal settings.

AllowAppStore

Boolean

1

Allow users to install software from the App Store without admin rights or an active Admin By Request session.

AllowSudo

Boolean

0

Allow users to run sudo commands. Should not be enabled unless there is a good reason to, because it allows the user to tamper the endpoint software.

CompanyName

String

 

Overrules the company name that appears on user interfaces, which is by default the licensed company name.

ComputerGroups

Array of Strings

 

Computer groups to match machine to sub settings when not using Active Directory.

DockIcon

Boolean

1

Place an icon in the dock.

ExcludedAccounts

Array of Strings

 

List of accounts that will not be downgraded to user role, such as service accounts.

EnableSessions

Boolean

1

User can request an admin session.

EnableAppElevations

Boolean

1

User can authenticate apps without session.

Instructions

String

 

Body text on Code of Conduct (“Instructions”) screen.

InstructionsHeader

String

 

Header text on Code of Conduct (“Instructions”) screen.

LogoUrl

String

 

URL from which to download logo. If not specified, default icons will be used.

RemoveRights

Boolean

1

Downgrade users from Admin to User, unless the account is in excluded accounts or is a domain administrator in on a domain-joined device.

RequireApproval

Boolean

0

Elevate without requiring someone to approve requests.

RequireReason

Boolean

1

Require reason to elevate.

RequireAppApproval

Boolean

0

Elevate Run As Admin without requiring someone to approve requests.

RequireAppReason

Boolean

1

Require reason to Run As Admin.

ShowInstructions

Boolean

0

Show Code of Conduct screen.

UploadInventory

Boolean

1

Upload inventory data to the portal.

UserGroups

Dictionary with Array of Strings

 

User groups to match machine to sub settings when not using Active Directory.

IMPORTANT:

Please note we do not recommend that you use a policy file to control client behavior. Instead, we recommend that you use portal settings and sub settings for better transparency and for real-time control of computers not connected to your LAN.

If you do decide to use a policy file, you can use it if you do not have an AD or an Entra ID.

In the policy file, you can setup all groups to correspond to the Subsetting in the ABR portal, as per the example below:

If you have any questions about portal settings or would like a demo of these, please feel free to contact us.

Overruling Portal Settings

To overrule portal settings with a policy file, edit this file:

   /Library/Application Support/Admin By Request/adminbyrequest.policy

Note that this file is protected during administrator sessions and therefore cannot be hacked by end-users. The file is in json format and has an example non-used setting by default, as shown below. Simply add more settings from the following table to overrule web settings.

Copy
{
    “ExampleSetting”: “ExampleValue”
}

Also note that any change to the policy file will take effect after the next reboot. Alternatively, if a policy change must take effect immediately without a reboot, an admin user or MDM can restart the service using:

   sudo killall adminbyrequest.

Key

Type

Default

Description

AdminMinutes

Integer

15

Number of minutes the user is administrator. This can also be set in your portal settings.

AllowAppStore

Boolean

1

Allow users to install software from the App Store without admin rights or an active Admin By Request session.

AllowSudo

Boolean

0

Allow users to run sudo commands. Should not be enabled unless there is a good reason to, because it allows the user to tamper the endpoint software.

CompanyName

String

 

Overrules the company name that appears on user interfaces, which is by default the licensed company name.

ComputerGroups

Array of Strings

 

Computer groups to match machine to sub settings when not using Active Directory.

DockIcon

Boolean

1

Place an icon in the dock.

ExcludedAccounts

Array of Strings

 

List of accounts that will not be downgraded to user role, such as service accounts.

EnableSessions

Boolean

1

User can request an admin session.

EnableAppElevations

Boolean

1

User can authenticate apps without session.

Instructions

String

 

Body text on Code of Conduct (“Instructions”) screen.

InstructionsHeader

String

 

Header text on Code of Conduct (“Instructions”) screen.

LogoUrl

String

 

URL from which to download logo. If not specified, default icons will be used.

RemoveRights

Boolean

1

Downgrade users from Admin to User, unless the account is in excluded accounts or is a domain administrator in on a domain-joined device.

RequireApproval

Boolean

0

Elevate without requiring someone to approve requests.

RequireReason

Boolean

1

Require reason to elevate.

RequireAppApproval

Boolean

0

Elevate Run As Admin without requiring someone to approve requests.

RequireAppReason

Boolean

1

Require reason to Run As Admin.

ShowInstructions

Boolean

0

Show Code of Conduct screen.

UploadInventory

Boolean

1

Upload inventory data to the portal.

UserGroups

Dictionary with Array of Strings

 

User groups to match machine to sub settings when not using Active Directory.

Overruling groups for subsettings

With the addition of the ComputerGroups and UserGroups keys (available since macOS version 3.0), see the example below:

    {
        “ComputerGroups”: [“Accounting”, “USA”],
        “UserGroups”: {
            “jane”: [“Developers”, “Germany”],
            “john”: [“Accountants”],
        }
    }