262-299-4600 • Email us

Policies on Mac

Settings in the Admin By Request client application are controlled under "Mac Settings" in the "Settings" menu, when signed in to the portal. If you for what-ever reason want to overrule these settings on specific clients, you can set overruling policies in a policy file.


Please note that we do not recommend that you use a policy file to control client behavior. Instead, we recommend that you use portal settings and sub settings for better transparency and for real-time control of computers off your LAN. If you have any questions about portal settings or would like a demo of these, please feel free to contact us.

Overruling portal settings

To overrule portal settings with a policy file, edit this file:

/Library/Application Support/Admin By Request/adminbyrequest.policy

Note that this file is protected during administrator sessions and can therefore not be hacked by end-users. The file is in json format and has an example non-used setting by default, as shown below. Simply add more settings from the table below to overrule web settings.

Also note that any change to the policy file will take effect after next reboot. Alternatively, if a policy change must take effect immediately without a reboot, an admin user or MDM can restart the service using "sudo killall adminbyrequest".

{
      "ExampleSetting": "ExampleValue"
}


KeyTypeDefaultDescription
AdminMinutesInteger15Number of minutes the user is administrator. This can also be set in your portal settings.
AllowAppStoreBoolean1Allow users to install software from the App Store without admin rights or an active Admin By Request session.
AllowSudoBoolean0Allow users to run sudo commands. Should not be enabled unless there is a good reason to, because it allows the user to tamper the endpoint software.
CompanyNameStringOverrules the company name that appears on user interfaces, which is by default the licensed company name.
ComputerGroupsArray of StringsComputer groups to match machine to sub settings when not using Active Directory.
DockIconBoolean1Place an icon in the dock.
ExcludedAccountsArray of stringsList of accounts that will not be downgraded to user role, such as service accounts.
EnableSessionsBoolean1User can request an admin session.
EnableAppElevationsBoolean1User can authenticate apps without session.
InstructionsStringBody text on Code of Conduct ("Instructions") screen.
InstructionsHeaderStringHeader text on Code of Conduct ("Instructions") screen.
LogoUrlStringUrl to download logo from. If not specified, default icons will be used.
RemoveRightsBoolean1Downgrade users from Admin to User, unless the account is in excluded accounts or is a domain administrator in on a domain joined Mac.
RequireApprovalBoolean0Elevate without requiring someone to approve requests.
RequireReasonBoolean1Require reason to elevate.
RequireAppApprovalBoolean0Elevate Run As Admin without requiring someone to approve requests.
RequireAppReasonBoolean1Require reason to Run As Admin.
ShowInstructionsBoolean0Show Code of Conduct screen.
UploadInventoryBoolean1Upload inventory data to the portal.
UserGroupsDictionary with array of stringsUser groups to match machine to sub settings when not using Active Directory.

Overruling groups for subsettings

With the addition of the ComputerGroups and UserGroups keys in macOS version 3.0, see the example below:

{
      "ComputerGroups": ["Accounting", "USA"],
      "UserGroups": {
          "jane": ["Developers", "Germany"],
          "john": ["Accountants"],
        }
}