Policies for macOS
About Policies
Settings in the Admin By Request client application are controlled under “
To overrule portal settings with a policy file, edit this file:
/Library/Application Support/Admin By Request/adminbyrequest.policy
Note that this file is protected during administrator sessions and therefore cannot be hacked by end-users. The file is in json format and has an example non-used setting by default, as shown below. Simply add more settings from the following table to overrule web settings.
{
“ExampleSetting”: “ExampleValue”
}
Also note that any change to the policy file will take effect after the next reboot. Alternatively, if a policy change must take effect immediately without a reboot, an admin user or MDM can restart the service using:
sudo killall adminbyrequest
.
Key |
Type |
Default |
Description |
---|---|---|---|
AdminMinutes |
Integer |
15 |
Number of minutes the user is administrator. This can also be set in your portal settings. |
AllowAppStore |
Boolean |
1 |
Allow users to install software from the App Store without admin rights or an active Admin By Request session. |
AllowSudo |
Boolean |
0 |
Allow users to run sudo commands. Should not be enabled unless there is a good reason to, because it allows the user to tamper the endpoint software. |
CompanyName |
String |
|
Overrules the company name that appears on user interfaces, which is by default the licensed company name. |
ComputerGroups |
Array of Strings |
|
Computer groups to match machine to sub settings when not using Active Directory. |
DockIcon |
Boolean |
1 |
Place an icon in the dock. |
ExcludedAccounts |
Array of Strings |
|
List of accounts that will not be downgraded to user role, such as service accounts. |
EnableSessions |
Boolean |
1 |
User can request an admin session. |
EnableAppElevations |
Boolean |
1 |
User can authenticate apps without session. |
Instructions |
String |
|
Body text on Code of Conduct (“Instructions”) screen. |
InstructionsHeader |
String |
|
Header text on Code of Conduct (“Instructions”) screen. |
LogoUrl |
String |
|
URL from which to download logo. If not specified, default icons will be used. |
RemoveRights |
Boolean |
1 |
Downgrade users from Admin to User, unless the account is in excluded accounts or is a domain administrator in on a domain-joined device. |
RequireApproval |
Boolean |
0 |
Elevate without requiring someone to approve requests. |
RequireReason |
Boolean |
1 |
Require reason to elevate. |
RequireAppApproval |
Boolean |
0 |
Elevate Run As Admin without requiring someone to approve requests. |
RequireAppReason |
Boolean |
1 |
Require reason to Run As Admin. |
ShowInstructions |
Boolean |
0 |
Show Code of Conduct screen. |
UploadInventory |
Boolean |
1 |
Upload inventory data to the portal. |
UserGroups |
Dictionary with Array of Strings |
|
User groups to match machine to sub settings when not using Active Directory. |
Please note we do not recommend that you use
If you do decide to use a policy file, you can use it if you do not have an AD or an Entra ID.
In the policy file, you can setup all groups to correspond to the Subsetting in the ABR portal, as per the example below:
If you have any questions about portal settings or would like a demo of these, please feel free to contact us.
Overruling Portal Settings
To overrule portal settings with a policy file, edit this file:
/Library/Application Support/Admin By Request/adminbyrequest.policy
Note that this file is protected during administrator sessions and therefore cannot be hacked by end-users. The file is in json format and has an example non-used setting by default, as shown below. Simply add more settings from the following table to overrule web settings.
{
“ExampleSetting”: “ExampleValue”
}
Also note that any change to the policy file will take effect after the next reboot. Alternatively, if a policy change must take effect immediately without a reboot, an admin user or MDM can restart the service using:
sudo killall adminbyrequest
.
Key |
Type |
Default |
Description |
---|---|---|---|
AdminMinutes |
Integer |
15 |
Number of minutes the user is administrator. This can also be set in your portal settings. |
AllowAppStore |
Boolean |
1 |
Allow users to install software from the App Store without admin rights or an active Admin By Request session. |
AllowSudo |
Boolean |
0 |
Allow users to run sudo commands. Should not be enabled unless there is a good reason to, because it allows the user to tamper the endpoint software. |
CompanyName |
String |
|
Overrules the company name that appears on user interfaces, which is by default the licensed company name. |
ComputerGroups |
Array of Strings |
|
Computer groups to match machine to sub settings when not using Active Directory. |
DockIcon |
Boolean |
1 |
Place an icon in the dock. |
ExcludedAccounts |
Array of Strings |
|
List of accounts that will not be downgraded to user role, such as service accounts. |
EnableSessions |
Boolean |
1 |
User can request an admin session. |
EnableAppElevations |
Boolean |
1 |
User can authenticate apps without session. |
Instructions |
String |
|
Body text on Code of Conduct (“Instructions”) screen. |
InstructionsHeader |
String |
|
Header text on Code of Conduct (“Instructions”) screen. |
LogoUrl |
String |
|
URL from which to download logo. If not specified, default icons will be used. |
RemoveRights |
Boolean |
1 |
Downgrade users from Admin to User, unless the account is in excluded accounts or is a domain administrator in on a domain-joined device. |
RequireApproval |
Boolean |
0 |
Elevate without requiring someone to approve requests. |
RequireReason |
Boolean |
1 |
Require reason to elevate. |
RequireAppApproval |
Boolean |
0 |
Elevate Run As Admin without requiring someone to approve requests. |
RequireAppReason |
Boolean |
1 |
Require reason to Run As Admin. |
ShowInstructions |
Boolean |
0 |
Show Code of Conduct screen. |
UploadInventory |
Boolean |
1 |
Upload inventory data to the portal. |
UserGroups |
Dictionary with Array of Strings |
|
User groups to match machine to sub settings when not using Active Directory. |
Overruling groups for subsettings
With the addition of the ComputerGroups and UserGroups keys (available since macOS version 3.0), see the example below:
{ “ComputerGroups”: [“Accounting”, “USA”], “UserGroups”: { “jane”: [“Developers”, “Germany”], “john”: [“Accountants”], } }