macOS Approval Process
To accommodate the new macOS Endpoint Security system extensions, the approval workflow of the macOS agent now terminates any justification or approval process and presents the user with an applicable message action.
The following workflows are impacted by this change:
- Application Approval Request Message Action
- Deny Execute
- Deny Execute and Deny Execute Message Action
- Deny Execute and Application Denied Message Action
- Application Justification Message Action
- Application Warning Message Action
Refer to the Actions topic.
Application Approval Request Message Action
Workflow prior to Privilege Manager v10.8:
Action waits for the user to either click Cancel or enter an Approval Request Message and click Request Approval.
Workflow starting with Privilege Manager v10.8:
Privilege Manager immediately denies the execution with macOS displaying a dialog indicating the application can't be opened. If the user has granted Privilege Manager.app the necessary SendEvents right, Privilege Manager closes the dialog.
-
If the user clicks Cancel, the dialog is dismissed and no further action taken.
-
If the user clicks Request Approval, the Approval is submitted and the user is presented with a modal dialog informing them that the approval request has been submitted and that they will be notified via Notification Center.
-
If successfully submitted, the request is queued and monitored by Privilege Manager.app.
-
If denied, a notification is pushed to the Notification Center indicating the app was denied. Clicking the notification or clicking the button to dismiss the notification causes the notification to be removed from the Notification Center.
-
If the request is approved, a notification is pushed to the Notification Center indicating the request was approved. Behavior for:
- application bundles: Clicking the notification causes the app to be launched and the notification to be removed from the Notification Center.
- command-line utilities: Clicking the notification causes the notification to be removed from the Notification Center. The user will have to manually run the command-line utility from a terminal window. If the user chooses to dismiss the notification, the notification is removed from the Notification Center and no further action is taken.
-
If the approval request fails to be submitted, Request Approval is disabled on the Request Approval dialog and an error message displayed.
-
Deny Execute
This action immediately denies the execution of the application and no interaction with Privilege Manager.app is required. The workflow is:
- macOS will display a dialog indicating the application can't be opened. If the user has granted PrivilegeManager.app the necessary SendEvents right, Privilege Manager closes the dialog.
- No further user interaction is provided or necessary.
Deny Execute and Deny Execute Message Action
This action immediately denies the execution of the application. The workflow is:
-
macOS will display a dialog indicating the application can't be opened. If the user has granted Privilege Manager.app the necessary SendEvents right, Privilege Manager closes the dialog.
-
A user notification is posted to the Notification Center that indicates the process was denied.
- Clicking the notification or clicking the button to dismiss the notification causes the notification to be removed from the Notification Center.
-
No further user interaction is necessary.
Deny Execute and Application Denied Message Action
-
Privilege Manager immediately denies the execution with macOS displaying a dialog indicating the application can't be opened. If the user has granted Privilege Manager.app the necessary SendEvents right, Privilege Manager closes the dialog.
-
The custom Application Denied Message is shown. Cancel and Publisher Info are the only buttons enabled.
- Clicking Cancel closes the window.
- Clicking Publisher Info displays certificate information for the application that was denied.
-
No further user interaction is necessary.
Application Justification Message Action
This action waits for the user to either Cancel or enter a Justification Message and click Continue. The workflow is:
-
Privilege Manager immediately denies the execution with macOS displaying a dialog indicating the application can't be opened. If the user has granted Privilege Manager.app the necessary SendEvents right, Privilege Manager closes the dialog.
- If the user clicks Cancel, the dialog is dismissed and no further action taken.
- If the user clicks Continue, the Justification will be submitted and the app bundle will be launched.
Application Warning Message Action
This action waits for the user to either click Cancel or Continue. The workflow is:
-
Privilege Manager immediately denies the execution with macOS displaying a dialog indicating the application can't be opened. If the user has granted Privilege Manager.app the necessary SendEvents right, Privilege Manager closes the dialog.
- If the user clicks Cancel, the dialog is dismissed and no further action taken.
- If the user clicks Continue, the app bundle will be launched.
Privacy Preference Policy Control Requests
If you have a policy in Privilege Manager that includes Deny Execute or any of the Advanced Message Actions, for example Application Approval Request, Application Denied, or Application Justification, the user at the endpoint might be presented with a macOS dialog saying that the application could not be launched.
When a policy with one of the above Advanced Message Actions is triggered, Privilege Manager.app attempts to use AppleEvents to dismiss this dialog on behalf of the user to provide the best user experience possible. When Privilege Manager.app attempts to use AppleEvents for the first time, macOS will prompt the user with the following:
-
If the user clicks OK on the AppleEvents dialog, System Events will be checked for Privilege Manager.app and it is added to Automation in the Security & Privacy preference pane on the Privacy tab:
-
If the user clicks Don't Allow on the AppleEvents dialog, the System Events will be unchecked.
-
Afterwards, macOS prompts the user with an Accessibility Access dialog:
-
If the user clicks Deny, Privilege Manager.app will not be granted access to use accessibility features to automatically close the dialog that states the application couldn't be launched.
-
If the user clicks Open System Preferences, the Security & Privacy preference pane opens to the Privacy tab:
If you check Privilege Manager, it will be granted access to use accessibility features to control other applications.
In order to automate the approval of these manual prompt(s), use the XML provided here or refer to the Jamf Pro screen shot as an example, depending on your existing MDM.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Privacy Preferences Policy Control</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>DC4FCA18-FCF2-4332-9192-A00D9A0BC128</string>
<key>PayloadOrganization</key>
<string>Thycotic LTD</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>DC4FCA18-FCF2-4332-9192-A00D9A0BC128</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>Accessibility</key>
<array>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.thycotic.privilegemanagergui" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UJDHBB2D6Q)</string>
<key>Identifier</key>
<string>com.thycotic.privilegemanagergui</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
<key>AppleEvents</key>
<array>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.thycotic.privilegemanagergui" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UJDHBB2D6Q)</string>
<key>Identifier</key>
<string>com.thycotic.privilegemanagergui</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Privilege Manager PPPC Apple Events</string>
<key>PayloadDisplayName</key>
<string>Privilege Manager PPPC Apple Events</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>5F761A1C-1F93-4666-99E4-772FDA978AFF</string>
<key>PayloadOrganization</key>
<string>Thycotic LTD</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5F761A1C-1F93-4666-99E4-772FDA978AFF</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
