|
Please note that we do not recommend that you use a policy file to control client behavior. Instead, we recommend that
you use portal settings and sub settings for better transparency and for real-time control of computers off your LAN.
If you have any questions about portal settings or would like a demo of these, please feel free to contact us.
|
Overruling portal settings
To overrule portal settings with a policy file, edit this file:
/Library/Application Support/Admin By Request/adminbyrequest.policy
Note that this file is protected during administrator sessions and can therefore not
be hacked by end-users. The file is in
json format and has an
example non-used setting by default, as shown below. Simply add more settings from the table below to overrule web settings.
Also note that any change to the policy file will take effect after next reboot. Alternatively, if a policy change must take
effect immediately without a reboot, an admin user or MDM can restart the service using "sudo killall adminbyrequest".
{
"ExampleSetting": "ExampleValue"
}
|
| AdminMinutes | Integer | 15 | Number of minutes the user is administrator. This can also be set in your portal settings. |
| AllowAppStore | Boolean | 1 | Allow users to install software from the App Store without admin rights or an active Admin By Request session. |
| AllowSudo | Boolean | 0 | Allow users to run sudo commands. Should not be enabled unless there is a good reason to, because it allows the user to tamper the endpoint software. |
| CompanyName | String | | Overrules the company name that appears on user interfaces, which is by default the licensed company name. |
| ComputerGroups | Array of Strings | | Computer groups to match machine to sub settings when not using Active Directory. |
| DockIcon | Boolean | 1 | Place an icon in the dock. |
| ExcludedAccounts | Array of strings | | List of accounts that will not be downgraded to user role, such as service accounts. |
| EnableSessions | Boolean | 1 | User can request an admin session. |
| EnableAppElevations | Boolean | 1 | User can authenticate apps without session. |
| Instructions | String | | Body text on Code of Conduct ("Instructions") screen. |
| InstructionsHeader | String | | Header text on Code of Conduct ("Instructions") screen. |
| LogoUrl | String | | Url to download logo from. If not specified, default icons will be used. |
| RemoveRights | Boolean | 1 | Downgrade users from Admin to User, unless the account is in excluded accounts or is a domain administrator in on a domain joined Mac. |
| RequireApproval | Boolean | 0 | Elevate without requiring someone to approve requests. |
| RequireReason | Boolean | 1 | Require reason to elevate. |
| RequireAppApproval | Boolean | 0 | Elevate Run As Admin without requiring someone to approve requests. |
| RequireAppReason | Boolean | 1 | Require reason to Run As Admin. |
| ShowInstructions | Boolean | 0 | Show Code of Conduct screen. |
| UploadInventory | Boolean | 1 | Upload inventory data to the portal. |
| UserGroups | Dictionary with array of strings | | User groups to match machine to sub settings when not using Active Directory. |
Overruling groups for subsettings
With the addition of the ComputerGroups and UserGroups keys in macOS version 3.0, see the example below:
{
"ComputerGroups": ["Accounting", "USA"],
"UserGroups": {
"jane": ["Developers", "Germany"],
"john": ["Accountants"],
}
}
LATEST CYBERSECURITY BLOGS
