Targeting .pkg Files
Privilege Manager supports elevation of an installation package (also known as a package). A package contains a product or product component—the package’s payload—to be installed on a computer and install configuration information that determines where and how the product is installed. A package is often identified by the file extension of .pkg or .mpkg.
You can use the Policy Wizard to create policies that apply to packages or you can create them manually. This document details how to create a policy manually.
For this example, we’ll be using a file specification filter for the file “Zoom.pkg”. To be more granular, you could use a file hash filter that targets the desired algorithm for the package file. Signed file filters are not supported for packages at this time.
Create File Specification Filter for the Package
- Navigate to Admin | Filters
- Click Create Filter
- For Platform/Location, pick macOS Computer Filters
- For Type, pick File Specification Filter
- Give the filter a name and description and click Create
- Set File Names to zoom.pkg and click Save Changes
Create Policy Targeting File Specification Filter
- Navigate to MACOS Computers | Application Policies
- Click Create Policy
- Click Skip the wizard, take me to a blank policy
- Give the policy a name and description and click Create Policy
- Set Applications Targeted to the file specification filter you created for the package
- Set Inclusions to Privilege Manager Copy/Installer Helper Parent Process Filter
- Actions – Depending on the desired user experience, use the following combinations of actions:
| Actions | Outcome |
|---|---|
| Deny Execute | Package installation is denied. |
| Deny Execute Deny Execute Message |
Package installation is denied and a notification is posted in notification center. |
| Application Denied Message Action (HTML) | Package installation is denied and the custom Application Denied Message Action (HTML) dialog is displayed. |
| Allow Package Installation | Package installation is allowed without prompting the user for admin credentials. |
| Allow Package Installation Application Approval Request Message Action (HTML) |
Package installation is allowed after the user’s approval request has been approved. ^ |
| Allow Package Installation Application Approval Request (with Offline Fallback) Message Action |
Package installation is allowed after the user’s approval request has been approved. ^ |
| Allow Package Installation Application Justification Message Action (HTML) |
Package installation is allowed after the user enters a justification. |
| Allow Package Installation Application Warning Message Action (HTML) |
Package installation is allowed after the user acknowledges the warning dialog. |
-
Click Show Advanced
- Click Continue Enforcing Policies so that it is disabled
- Click Applies To All Process so that it is enabled
- Click Save Changes
- Set the policy as Active
Policy Examples
Deny Execute + Deny Execute Message
The Policy below will deny package installation and a notification is posted in notification center.
Application Denied Message Action (HTML)
The Policy below will deny the package installation and the custom Application Denied Message Action (HTML) dialog is displayed.
Allow Package Installation
The Policy below will allow package installation without prompting the user for admin credentials.
Allow Package Installation + Application Approval Request Message Action (HTML)
The Policy below will allow package installation after the user’s approval request has been approved. If the request is denied, a notification will be posted in notification center.
Allow Package Installation + Application Approval Request (with Offline Fallback) Message Action (HTML)
The Policy below will allow package installation after the user’s approval request has been approved. If the request is denied, a notification will be posted in notification center.
Allow Package Installation + Application Justification Message Action (HTML)
The Policy below will allow package installation after the user enters a justification.
Allow Package Installation + Application Warning Message Action (HTML)
The Policy below will allow package installation after the user acknowledges the warning dialog.
