While Windows endpoints still dominate corporate offices, the rate of adoption of Mac devices has increased tremendously. With the increase in the number of companies offering creative services, the number of Mac devices used for corporate purposes will increase.
Enforcing Principle of Least Privilege on Mac Endpoints
With the increase in the number of Mac devices, system administrators will have to face the challenge of enforcing the security best practices on these devices running Mac operating system.
Most solutions in the market are designed for managing privileges on Windows endpoints. This makes the job of the system administrator much more difficult than it needs to be.
Securden Endpoint Privilege Manager supports privilege management on Mac Endpoints. Just like any other device, the Mac device must be onboarded to the Securden Endpoint Privilege Manager before privilege management workflows and policies can be enforced on the endpoint.
The Securden Mac Agent
The first step is to deploy the Securden Mac Agent on the Mac devices. The agent helps monitor user privileges, fetch user accounts on the Mac device, remove and control admin rights, and elevate privileges through policies or the request release process.
How to remove local admin rights on Mac endpoints?
By deploying the Securden Mac agent on the endpoints, the administrator will be able to view the list of user accounts on each individual Mac device. The administrator can then choose to remove the local administrator right by following the steps below.
- On the Mac device, go to System Settings >> Users & Groups.
- Click on the “i” icon against the user account you want to demote.
- Uncheck the checkbox against “Allow this user to administer the endpoint”
How to run apps with admin rights on Mac devices after the user is demoted?
There are three methods using which a standard user can run apps with admin rights.
- Request-release workflow for individual apps
- Policy based privilege elevation
- Requesting a temporary, time-limited full admin access
Each method is explained below.
-
Request-release workflow for individual apps
Standard users can place requests with the Securden Administrator to grant them temporary permissions to run a specific app with admin rights. The administrator can evaluate the request and choose whether to allow or deny the request.
-
Policy based privilege elevation
The Securden administrator can create and enforce privilege elevation policies to automate privilege elevation for apps that are used fairly regularly.
First, the administrator must create policies by selecting the applications and then associate them with the users. Then the administrator must select the endpoints on which the policy must take effect.
Once the preferences are selected, then the policy must be approved by a peer administrator (if available). Then the policy will take effect right after the agents communicate with the server.
-
Request for temporary, time-limited full admin access
In rare situations where the user needs to elevate multiple applications within a short time frame, they can place a request for temporary full-admin access to the Securden Administrator. Upon evaluation, the administrator can choose to approve or deny the request.
For all time limited privilege elevation requests, the time of elevated access will be determined by the administrator at the time of approval of the request.
Policy based application control in Mac
Apart from privilege elevation policies, the administrator can enforce application control through allowlisting and blocklisting. In scenarios where the user needs to run an app that is not allowed, they can place an application access request which follows the same workflow as the privilege elevation requests.
Through policies and a robust request-release workflow, Securden Endpoint Privilege Manager helps IT administrators tackle the challenges that come with adoption of the principle of least privilege on Mac endpoints.
Watch Securden EPM in action.
Book a demo and watch how Securden helps manage admin rights on Mac endpoints.
Book a Demo
X
What's next?
Request a Demo
Get a Price Quote