Allow Copy to Install Applications
A policy can be created to allow or deny standard users to install specific applications by dragging-and-dropping the application into the /Applications folder. Follow this example to create a policy that will enable this functionality for macOS standard users. This example policy has been verified for use with KEXT and SYSEX agent workstations.
-
Navigate to your macOS Computer Group and select Application Policies.
-
Click Create Policy.
-
Select Controlling and click Next Step.
-
Select Allow and click Next Step.
-
Select what exactly you want the policy to target. This can be based of an Existing Filter, a File Upload, and/or Inventoried File(s). Multiple targets can be selected.
-
Click Next Step.
-
Enter a Name and description for your policy, click Create Policy.
-
Click Add Inclusions.
-
Search for and add the Copy Install Application filter.
-
Click Update.
-
Click Save Changes.
-
Set the Inactive switch to Active for policy updates at the endpoint.
The new Copy Install Application Filter should not be used with the existing Privilege Manager Copy/Installer Helper Parent Process Filter, which should be removed from any policy before adding the new Copy Install Application Filter to the policy.
Updating Existing Policies to Use the Copy Install Application Filter
If you have policies that currently use the Privilege ManagerCopy/Installer Helper Parent Process Filter use the following steps to update them to use the Copy Install Application Filter in the Privilege Manager UI:
-
Navigate to the macOS Computers Group and select Application Policies.
-
For each application that currently uses the Privilege manager copy/installer helper parent process filter as an inclusion filter, remove that filter and add the Copy Install Application filter instead.
-
Click Update.
-
Under Actions remove Allow copy to /Applications Directory and add the Application Approval Request Message Action in its place.
-
Click Update.
-
Click Show Advanced and set these two option to active:
- Continue Enforcing.
- Enforce Child Processes.
-
Click Save Changes.
Updating the Workstation
On the macOS workstation:
The agent updates with new and updated policies and synchronizes.
Expected User Experience
After the policies are updated, users can open a DMG or just drag-and-drop an application bundle to /Applications. Depending on the version of macOS, users may see a dialog asking to authenticate by clicking Authenticate. Users will not be prompted for admin credentials to complete the operation.