defendpoint for mac - beyondtrust...standard user account. with defendpoint for mac, you can unlock...

avecto.com

Getting Started with Defendpoint for Mac

March 2016 – Getting Started Guide v2.0

Copyright Notice

The information contained in this document (“the Material”) is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Avecto Ltd, its associated companies and the publisher accept no liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose.

Copyright in the whole and every part of this document belongs to Avecto Ltd (“the Owner”) and may not be used, sold, transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to any person other than in accordance with the terms of the Owner’s Agreement or otherwise without the prior written consent of the Owner.

Accessibility Notice

In the event that you are unable to read any of the pages in this document, please contact us and we will arrange to provide an accessible version for you.

1

Defendpoint for Mac – Getting Started Guide

Contents Introduction ................................................................................................................................... 3

Technical benefits ......................................................................................................................... 4

Before you start ............................................................................................................................. 5

Defendpoint installation ............................................................................................................... 6

Installing the Defendpoint Management Console on the Windows computer ........................ 6

Installing the Defendpoint Client on the Mac computer .......................................................... 9

Creating a Standard User account ........................................................................................ 11

Testing Defendpoint ................................................................................................................... 12

Standard user experience without Defendpoint .................................................................... 12

5.1.1. Accessing a preference pane ........................................................................................ 12

5.1.2. Opening a package ....................................................................................................... 13

5.1.3. Opening a bundle .......................................................................................................... 13

5.1.4. Running a binary ........................................................................................................... 14

Adding Defendpoint Settings to a Mac computer.................................................................. 14

Standard user experience with Defendpoint ......................................................................... 15

5.3.1. Accessing a preference pane ........................................................................................ 15

5.3.2. Opening a package ....................................................................................................... 16

5.3.3. Opening a bundle .......................................................................................................... 17

5.3.4. Running a binary ........................................................................................................... 18

Importing and Exporting the Defendpoint Settings ................................................................ 19

Importing the Defendpoint Settings ....................................................................................... 20

What’s in the Defendpoint Settings? ..................................................................................... 20

Exporting the Defendpoint Settings ...................................................................................... 23

Adding a Preference Pane to Defendpoint ............................................................................... 24

Adding a package to Defendpoint ............................................................................................. 26

Adding a bundle to Defendpoint ............................................................................................... 28

Adding a binary to Defendpoint ............................................................................................. 30

Conclusion ......................................................................................................................... 31

Feedback Questions ............................................................................................................... 32

Configuring Defendpoint for Mac ...................................................................................... 32

2


Installing & Deploying ........................................................................................................ 33

Reporting ........................................................................................................................... 33

Overall experience ............................................................................................................ 34

Support ..................................................................................................................................... 38

What’s next? ............................................................................................................................ 39

3


Introduction Defendpoint is the revolutionary endpoint security software that unites IT and end users. With traditional security solutions such as antivirus only effective half of the time, Defendpoint puts you a step ahead. By combining Privilege Management and Application Control, Defendpoint protects your business from advanced targeted attacks.

With Defendpoint for Mac, users are able to run admin tasks and privileged applications without the need for an admin account. You regain control of apps with pragmatic whitelisting, ensuring that only known good applications are able to run, while users have the freedom and flexibility to perform everyday tasks.

For the first time, you can achieve the same level of security and usability on a Mac computer as you can on a Windows computer: Gain control of Mac endpoints, remove admin accounts and manage approved applications.

Features

Seamless unlocking of individual System Preferences

Empower users to install approved packages

Improved user experience with fully customizable messaging:

Challenge / Response for controlled access to applications

Request reasons for application use

User re-authentication using password

Suppress unwanted OS X password prompts

Centralized reporting with rich, interactive dashboards

Block unknown and untrusted applications

Control the use of system and 3rd party apps including application bundles, package installers and terminal binaries

Easy workstyle-driven configurations and application templates

Flexible policy targeting and exception handling based on individual roles

Discover and audit application use across the organization

Broad matching criteria for precise targeting of rules:

Application file path, URI, publisher, hash, version

Users, groups, computers

4


Technical benefits Achieve least privilege on Mac

There are many functions that require an admin account to run. While most Mac users typically use an admin account to gain the flexibility they need, this represents a large security risk in the enterprise. Defendpoint for Mac enables users to log on with non-admin accounts, without compromising productivity or performance, by allowing the execution of approved tasks, applications and installations as required, according to the rules of your policy.

Empower users and gain control

Allow and block the use and installation of specific applications, binaries, packages and bundles. By taking a simple and pragmatic approach to whitelisting, you can gain greater control of applications in use across the business and immediately improve security by preventing untrusted applications from executing.

Unlock privileged activity

Even privileged applications and tasks that usually require admin rights are able to run under a standard user account. With Defendpoint for Mac, you can unlock approved system preferences such as date and time, printers, network settings and power management, without needing admin credentials.

Customizable messaging

Working seamlessly with OS X, Defendpoint for Mac suppresses standard, restrictive messages and allows you to create your own customized authorization prompts to handle exceptions and enable users to request access. Setup access request reasons, challenge/response codes or password protection to add additional security layers, or simply improve prompts to reduce helpdesk enquiries.

Take a pragmatic approach with broad rules

Broad catchall rules provide a solid foundation, with exception handling options to handle unknown activity. Simply define the application and set its identification options such as filename, hash, publisher or URI. Next, assign the application to the users who require enhanced rights and setup any additional options, such as end user messaging and auditing.

Achieve compliance

You will have the knowledge to discover, monitor and manage user activity from the entire enterprise, drawing upon actionable intelligence to make informed decisions. Graphical dashboards with real-time data will provide a broad range of reports to aid troubleshooting and provide the information you need to proactively manage your policy on an ongoing basis.

Apply corporate branding

You can add your own branding to messages and prompts, with reusable messaging templates that makes it easy to improve the end user experience. You have full control over text configuration.

Simple, familiar policy design

Firewall-style rules based on application groups make set up and management simple. Using the same Defendpoint interface and client as for Windows, you create flexible ‘workstyles’ based on the requirements of individuals and groups of users.

5


Before you start Before beginning the Defendpoint for Mac evaluation you will need the following:

A Windows computer or virtual machine, with a local admin account

A Mac computer or virtual machine, with a local admin user for installation and configuration, and a local standard (non-admin) user for testing.

A method of transferring the Defendpoint configuration from the Windows computer to the Mac computer (virtual machine folder share, network share, USB device, etc.)

Avecto recommends that this evaluation be carried out on virtual machines. It should not be carried out on production machines.

Supported platforms

OS X 10.9 Mavericks

OS X 10.10 Yosemite

Note: Ensure all OS X updates are applied to the Mac computer

Downloads

The Defendpoint for Mac Technical Preview Evaluation consists of two downloads:

A disk image for the Mac computer (Defendpoint_Mac_TP.dmg)

A zip file for the Windows computer (Defendpoint_Mac_TP.zip)

Licensing

An evaluation license is included in the Defendpoint Settings file, which will expire on November 30th 2015.

6


Defendpoint installation The Defendpoint installation is performed in two stages; the Defendpoint Management Console is installed on to the Windows computer and the Defendpoint Client is installed on to the Mac computer.

Installing the Defendpoint Management Console on the Windows computer

The Defendpoint Management Console is used to create and edit Defendpoint Settings that are applied to Mac computers. Although you won’t be using the console until later in the evaluation you can install it now so that it’s ready for the later exercises.

Log on to the Windows computer you would like to manage Defendpoint from, using an administrator account.

Install Defendpoint by running the appropriate installation package:

For 32-bit (x86) systems run DefendpointManagementConsoles_x86.exe

For 64-bit (x64) systems run DefendpointManagementConsoles_x64.exe

1. The installation will detect if any prerequisites are needed. Click Install to install any missing pre-requisites. This may take a few minutes.

2. Once the prerequisites have been installed, the Welcome dialog will appear.

3. Click Next to continue. The License Agreement dialog will appear.

7


4. After reading the license agreement, select I accept the terms in the license agreement and click Next to continue. The User Information dialog will appear.

5. Enter your name and the name of your organization and click Next to continue. The Destination Folder dialog will appear.

6. If you wish to change the default installation directory then click the Change button and select a different installation directory. Click Next to continue. The McAfee ePolicy Orchestrator dialog will appear.

8


7. Leave this option unchecked and click Next to continue. The Ready to Install the Program dialog will appear.

8. Click Install. The Management Console will begin installation. Once installed, you will be presented with the following screen giving you the option of installing the Defendpoint Client on the current Windows computer.

9. Uncheck this option and click Finish. The Defendpoint Console has now been successfully installed.

9


Installing the Defendpoint Client on the Mac computer

The Defendpoint for Mac Client allows Defendpoint Settings to be applied to the Mac computer.

1. Log on to the Mac computer that the Defendpoint Client is to be installed on, using an administrator account.

2. Once downloaded, please install the Defendpoint Client by double-clicking the installation package DefendpointClient.pkg.

Note: The package is signed by Avecto and the padlock in the top-right corner can be selected, to view the certificate, to ensure its validity.

3. Click Continue to install the Defendpoint Client.

4. The Destination Select dialog will be displayed. The default setting is the Macintosh HD.

5. Click Continue and the Installation Type dialog will be displayed confirming the size and destination of the software install.

10


6. Click Install. An Apple authorization dialog will display. Enter the administrator credentials and click Install Software.

7. The software installation will commence and on completion the Summary dialog will be displayed.

8. Click Close to complete the installation of the Defendpoint for Mac Client.

If you are using OS X 10.9 Mavericks it is recommended that you restart your machine.

11


Creating a Standard User account

This section is only required if the Mac computer on which you are evaluating Defendpoint does not have a standard user account.

1. Using the local admin account open the Users & Groups preference pane from the System Preferences folder.

2. Unlock the preference pane by clicking the padlock and entering your admin credentials.

3. Click on the + button to create a new Standard user and complete the dialog as shown below.

4. Close the Users & Groups preference pane.

12


Testing Defendpoint

Standard user experience without Defendpoint

To demonstrate the potential of Defendpoint, we are going to explore the experience that a standard user, working without the protection or assistance of Defendpoint, would expect to encounter. By performing four common actions, we can illustrate the restrictions and vulnerabilities a standard Mac user is exposed to. Subsequently, once the Defendpoint Settings are applied, you’ll perform the same actions to illustrate how Defendpoint can impact on the standard user experience.

Note: Although you have installed the Defendpoint Client software on your Mac computer, it is not currently active as it is installed with a blank configuration. During the initial tests, your Mac will behave as if Defendpoint wasn’t present.

5.1.1. Accessing a preference pane

Preference panes allow the user to set preferences for specific applications or the system. Many of these are ‘padlocked’ as shown below.

1. As a standard user open the Date & Time preference pane.

2. Click the padlock to unlock the preference pane. You will be presented with an Apple authorization dialog as displayed below. A standard user cannot authorize this dialog, and so cannot alter the Date & Time settings.

Standard users cannot access locked preference panes. Later in the evaluation we will demonstrate how any locked preference panes that are considered necessary for the standard user to access, can be made available using Defendpoint. We’ll also illustrate how more meaningful messages can be displayed, when a preference pane is blocked, providing a more informed user experience.

13


5.1.2. Opening a package

Packages are used to install applications or files and execute scripts.

1. As a standard user launch Safari and download the following package to the desktop: https://connect.avecto.com/temp/AvectoTestApplication-pkg.zip

Note: This is an example package compiled by Avecto, which will add a simple application to the system. It is provided only for the purposes of this demonstration and once you have finished, can be simply removed by moving it to the Trash can.

2. Double-click the AvectoTestApplication.pkg package. The Apple Installer will be launched as shown below.

3. The installer will progress through the Destination and Installation Type dialogs but when the user finally clicks Install they will be presented with an Apple authorization dialog. A standard user will not be able to authorize this dialog, and so cannot install the package.

Standard users cannot install packages. Using Defendpoint, standard users can be empowered to install packages without requiring an administrator account. This can eliminate unnecessary support calls and IT intervention. However, packages that have not been authorized can be intercepted, and controls can be applied that allow IT teams to dictate which packages can or cannot be installed by a standard user. This will be demonstrated in the subsequent tests.

5.1.3. Opening a bundle

Bundles are a common type of application on Macs. The majority of pre-installed applications, as well as apps installed from the Apple App Store, are in bundle form. Bundles can also be downloaded from any internet site, and run from any location on the system. Because of this, bundles can easily be introduced by standard users, and represent a significant risk to the business. A common way of downloading Bundle applications is to download them as disk images.

1. As a standard user launch Safari and download the following disk image to the desktop: https://connect.avecto.com/temp/AvectoTestApplication-dmg.zip

2. Double-click the AvectoTestApplication.dmg disk image. The AvectoTechPreview disk will appear on the desktop.

3. Open the disk and double-click on the AvectoTechPreview bundle. A dialog will ask if you want to open it so click Open. The AvectoTechPreview will open without any authorization requirement.

https://connect.avecto.com/temp/AvectoTestApplication-pkg.zip

https://connect.avecto.com/temp/AvectoTestApplication-dmg.zip

14


4. You may want to try this with your own downloads.

Standard users can download and run bundles without requiring an admin account. Using Defendpoint, application bundles can be blocked from running, or the standard user can be presented with a message, for example requesting a reason for installation. This can be returned to the IT department, establishing an audit trail. Defendpoint can intercept the running of any application bundle and prevent the running of unauthorized applications. Defendpoint can also prevent the running of unknown or potentially malicious bundles that are introduced by users.

5.1.4. Running a binary

Binaries are typically executed from the Terminal command line application. Many binary commands can be executed by standard users, without requiring an admin account or root. As an IT admin, you may want to restrict the use of, or even block access to certain binaries that are executed by your users.

One example is the ‘curl’ binary, which allows users to transfer data from or to a server. It is commonly used to download from a website without using a web browser.

1. As a standard user, open the Terminal and type: curl https://connect.avecto.com/temp/AvectoTestApplication-pkg.zip > ~/Desktop/TestApp.pkg.zip

2. Press Enter. The ‘curl’ command will be executed. As a standard user you have accessed the Terminal and downloaded the Avecto TestApp.pkg.zip to the desktop. This may allow users to bypass security that is being applied to the Safari web browser or any other web browsers.

In the subsequent Binary Test, with Defendpoint Settings applied, you’ll enforce an access request in front of the ‘curl’ command. This will demonstrate that using Defendpoint, you are able to apply restrictions on which binaries can be executed from the Terminal app.

Adding Defendpoint Settings to a Mac computer

In the first section of this chapter we demonstrated the expected standard user experience without Defendpoint operating on the Mac computer.

Avecto has supplied a Defendpoint Settings file with the Defendpoint download (pguard.xml). You are now going to apply those settings.

To add the Defendpoint settings to a Mac computer:

1. Logon to the Mac computer using your admin account.

2. Browse to the location of the Defendpoint Settings file (pguard.xml) and copy the file to your desktop.

15


3. From the Terminal application type the following command:

sudo cp ~/Desktop/pguard.xml /etc/pguard/pguard.xml

4. Press Enter and submit your admin credentials. The file will be copied into the folder /etc/pguard/ on the Mac computer, overwriting any existing file of the same name.

As soon as the pguard.xml file is placed in this folder Defendpoint is active on the Mac computer.

Standard user experience with Defendpoint

Having demonstrated the standard user experience without Defendpoint, you will now perform the same actions having added the Defendpoint Settings to the Mac computer. In this way, we can illustrate the advantages and protection that can be applied to the standard user with Defendpoint in place.

Ensure that the previously run applications have been closed correctly. Active applications are identified in the Dock by a dot beneath their icon. To ensure applications are closed properly, click on them and press ⌘ + Q. Depending on your keyboard this key could be additionally labeled Command or Cmd.

5.3.1. Accessing a preference pane

1. As a standard user open the Date & Time preference pane.

2. Click the padlock to unlock the preference pane. The padlock will unlock and the Date & Time settings can now be altered by a standard user.

The current Defendpoint Settings permit the standard user access to a normally locked preference pane, without requiring an admin account, or requiring them to authorize an Apple authorization dialog. This not only empowers standard users to perform approved admin tasks, but also improves the experience of running those tasks by eliminating the need repeatedly to enter their credentials.

Additionally, try unlocking any other System Preference panes that are padlocked. The Defendpoint Settings are configured to intercept these and display a block/reason dialog. Rather than receiving an authorization dialog, with Defendpoint you can instead provide a more meaningful message, mitigating the need for an IT support call.

16


5.3.2. Opening a package

1. As a standard user double-click the AvectoTestApplication package you downloaded in the previous package test. The Apple Installer will be launched as shown below.

2. The Apple Installer will progress through the install dialogs and the installation will commence successfully without any request for further authorization.

Note: The package is signed by Avecto and the padlock in the top-right corner can be selected, to view the certificate, to ensure its validity.

The current Defendpoint Settings permit the standard user to install a normally blocked application package without requiring an admin account, or requiring them to authorize an Apple authorization dialog. This not only empowers standard users to perform approved admin tasks, but also improves the experience of running those tasks by eliminating the need repeatedly to enter credentials.

Experiment with this by trying to install any other package. Again, the Defendpoint Settings are configured to intercept the authorization dialog and show our own block/request message.

3. Now that you’ve installed the package, using Finder navigate to the Applications folder and double-click on the AvectoTechPreview app. The application will run and the dialog shown below is displayed:

The installation of an authorized package will automatically allow the application to run, as it has been installed to the /Applications folder, which is a trusted location of the operating system.

17


5.3.3. Opening a bundle

1. As a standard user, double-click the AvectoTestApplication.dmg disk image you downloaded in the previous bundle test. The AvectoTechPreview disk will appear on the desktop.

2. Open the disk and double-click on the AvectoTechPreview bundle. A dialog will ask if you want to open it so click Open.

3. You will be presented with the Defendpoint Block message as displayed below and the application will be blocked from launching.

The current Defendpoint Settings block the launch of this bundle which would normally be allowed for a standard user. This is because it is running from an untrusted location, and Defendpoint has been configured to automatically block any unknown application running from an untrusted location. Try introducing your own bundle applications from the standard user’s desktop, or any other location that the standard user is able to copy a bundle application to.

Defendpoint can also be used to block known and trusted applications, such as tools and utilities that are part of OS X. Try running the Game Center. The current settings will block the Game Center from running and display the block message below.

18


5.3.4. Running a binary

1. As a standard user, open the Terminal and type: curl https://connect.avecto.com/temp/AvectoTestApplication-pkg.zip > ~/Desktop/Rogue.pkg.zip

Press Enter. The application will be blocked from launching and the Defendpoint Block message will be displayed.

The current Defendpoint Settings block the execution of the ‘curl’ binary, which would normally be permitted for a standard user.

Summary

In these exercises, you have demonstrated that the experience of a standard user is impaired as they are unable to perform simple tasks that normally require an admin account. You have also demonstrated that standard users are still capable of introducing unknown and potentially malicious applications to their Mac, and expose your organization to security incidents.

With Defendpoint enabled, you have demonstrated the ability to empower users by allowing specific actions such as unlocking System Preferences and installing system packages using Privilege Management. You have also demonstrated that Application Control provides the ability to intercept unexpected Apple authorization dialogs, and replace them with your own default actions with customizable and intuitive messaging. Finally, Application Control provides the ability to intercept and block the running of unknown applications using simple ‘trust’ based whitelisting, and allows targeted blacklisting of applications that are part of OS X.

In the next section, you will learn how to tailor the Defendpoint configuration by adding your own rules for applications.

19


Importing and Exporting the Defendpoint Settings In the previous chapter we explored the differences between a standard user experience when Defendpoint isn’t operational, and those when the Defendpoint Settings have been applied.

In this chapter you’ll be creating additional rules for Defendpoint. To do this you’ll use the Defendpoint snap-in to the Microsoft Management Console (MMC) on the Windows computer. This will demonstrate how easily you can add or modify rules to control a standard user’s access to preference panes, packages, bundles and binaries.

From the administrator account on your Windows computer launch the Microsoft Management Console (MMC.exe). Simply type 'mmc' into the search box from the Start Menu and press the Enter key.

Now add the Defendpoint snap-in to the console.

1. Select File from the menu bar and select Add/Remove Snap-in....

2. Scroll down the list and select the Defendpoint Settings snap-in. Click Add and then click OK.

3. Optionally select File > Save as and save a shortcut for the snap-in to the desktop as Defendpoint.

4. Expand the Defendpoint Settings node in the left-hand pane and select the OS X node to display the main screen in the details pane.

20


Importing the Defendpoint Settings

The next step is to import the Defendpoint Settings file (pguard.xml), which you earlier applied to the Mac computer, into the Defendpoint Management Console on the Windows computer. Once imported, you can begin to edit the settings.

To import the XML file into the Defendpoint Console:

1. Ensure the pguard.xml file (provided with the client installer) can be accessed from your Windows computer.

2. Select the Defendpoint Settings node.

3. Right-click and select Import….

4. Navigate to the location of the pguard.xml file and click Open.

5. If prompted select No in order to replace any current settings.

What’s in the Defendpoint Settings?

Defendpoint for Mac Settings are made up of Workstyles, Application Groups, Messages and Licensing.

In these settings there is one workstyle (Non-admin users) that targets any non-administrator user i.e. standard users.

The various Application Groups contain ‘definitions’ for each of the applications you have tested and if you want to apply an action to an additional application, simply add it to the relevant group.

21


The groups are as follows:

1 – Apps that are always blocked – Applications matching this group will always be blocked from running, and the user will be given a Block message.

2 – Apps that auto unlock – Applications matching this group will automatically be enhanced, meaning the user will never be presented with an Apple authorization dialog. Defendpoint will not display any additional message for these applications.

3 – Apps that require a Reason – Applications matching this group will automatically display a Reason message, meaning the user will be required to enter a reason in the dialog box in order for the application to run.

4 – Apps that require a password – Applications matching this group will automatically display a Password message, meaning the user will be required to enter a password in the dialog box in order for the application to run.

5 – Apps that are allowed – Applications matching this group will not display a Defendpoint message, but authentication requests are not controlled, meaning that where appropriate, Apple authentication dialogs will be displayed.

6 – Trusted Locations – This group contains a list of trusted locations, where applications will always be allowed to run by default. Changes to this group should be avoided, unless under the instruction of Defendpoint Support. Applications that are in trusted locations can be managed by adding them to higher priority groups.

7 – Unknown apps that do prompt – Applications matching this group will display a Reason message when they need enhanced rights, instead of an Apple authorization prompt. Enhanced rights will be blocked, allowing the user to enter a justification.

8 – Unknown apps that don’t prompt – Applications matching this group will be blocked, and the user will be shown a Reason message allowing them to enter a justification.

A valid license is included in the settings, which will expire on November 30th 2015.

22


Application Groups and the results of adding an application to them.

Application Group Action Message

1 – Apps that are always blocked Block No message

2 – Apps that auto unlock Run No message

3 – Apps that require a Reason Run Reason message

4 – Apps that require a password Run Password message

5 – Apps that are allowed Run Apple Authentication where appropriate

6 – Trusted Locations Run Apple Authentication where appropriate

7 – Unknown apps that do prompt Block Reason message

8 – Unknown apps that don’t prompt Block Reason message

23


Exporting the Defendpoint Settings

In the following four chapters you’re going to edit the settings you’ve just imported, which will apply additional changes to the standard end user experience.

Each time you modify the settings you will Export them and add the new settings to the Mac computer, in order to see the effect of the changes.

Alternatively, for ease, you can make all of the changes detailed in chapters 7 – 10 in one go, and then perform the Export… and Adding Settings process once.

Once they’ve been added, you can test against them from the standard user account on the Mac computer.

To export the Defendpoint Settings as an XML file, from the Defendpoint Console:

1. Select the Defendpoint Settings node.

2. Right-click and select Export….

3. Select the pguard.xml file, choose an appropriate destination and click Save.

4. Once the pguard.xml file has been saved it should be copied to the Mac computer using the steps described in Adding the Defendpoint Settings to the Mac computer using the Terminal command described at the end of that section.

24


Adding a Preference Pane to Defendpoint Using the Defendpoint Console on the Windows computer, you are going to edit the settings contained in the pguard.xml file that you previously added to the Mac computer. This will illustrate how easy it is to add rules to the settings.

You’ll edit the settings and then re-apply them to the Mac computer.

In the first exercise you are going to add a preference pane that a standard user would normally require admin credentials to access.

1. From the Defendpoint Console select and expand the OS X node.

2. Expand the Applications Groups node and select group 2 – Apps that auto unlock.

3. Right-click in the details pane and select Insert OS X Application > System Preference Pane

4. From the OS X System Preference Pane dialog click Template and select a preference pane of your choice, for example Energy Saving. Click Next.

5. In the Description dialog enter a description for the preference pane you have selected and click Next.

6. Select File > Save.

7. Finally Export the settings following the steps described in Exporting the Defendpoint Settings and apply them to the Mac computer in the steps described in Adding Defendpoint Settings to a Mac computer.

25


As soon as the settings file pguard.xml is placed in the /etc/pguard/ folder, the new Defendpoint Settings are active on the Mac computer.

1. As a standard user try unlocking the Energy Saving preference pane to illustrate how your modifications impact on the standard user experience.

2. Click the padlock to unlock the preference pane. The padlock will unlock and the Energy Saving settings can now be altered by a standard user.

Note: Chapters 8, 9 and 10 describe steps relating to packages, bundles and binaries. You can make those changes chapter by chapter or all at once, exporting the Defendpoint Settings and adding them to the Mac computer only once, to avoid repetition. Then test each modification introduced to witness the impact on the standard user experience.

26


Adding a package to Defendpoint In the second exercise you are going to allow the standard user to open an installation package that would normally require admin credentials.

1. From the Defendpoint Console expand the Applications Groups node and select group 2 – Apps that auto unlock.

2. Right-click in the details pane and select Insert OS X Application > Package… and type a package name of your choice. Click Next.

Note: The name of the package is case sensitive, so ensure you use the correct case.

3. In the Description dialog enter a description for the package you have selected and click Next.

27


4. In the OS X Application Definition dialog accept the default settings and click Finish. The package will be added to the group.

5. Select File > Save and then export the modified Defendpoint Settings.

6. Finally add the Defendpoint Settings to the Mac computer.

When a standard user attempts to install the package from the Mac computer the Apple installer will progress through the install dialogs and the installation will commence successfully without any request for further authorization.

28


Adding a bundle to Defendpoint In the third exercise you are going to intercept the standard user from launching a bundle, until a reason is supplied in the Reason message that will be displayed. If you wanted to try displaying a different type of message you could add the application to application group 4 – Apps that require a password.

1. From the Defendpoint Console expand the Applications Groups node and select group 3 – Apps that require a reason.

2. Right-click in the details pane and select Insert OS X Application > Bundle….

3. From the OS X Bundle dialog you can either enter the File or Folder Name directly or click Template and select a bundle of your choice, for example iTunes. Click Next.

4. In the Description dialog enter a description for the bundle you have selected and click Next.

29


5. In the OS X Application Definition dialog accept the default settings and click Finish. The bundle will be added to the group.



When a standard user attempts to launch the bundle from the Mac computer the following Reason message will be displayed.

30


Adding a binary to Defendpoint In the final exercise you are going add a binary command to the Blacklisted application group, to block the standard user from using it.

1. From the Defendpoint Console expand the Application Groups node and select group 1 – Apps that are always blocked.

2. Right-click in the details pane and select Insert an OS X Application > Binary… and type a binary command (Filename or Folder) of your choice, for example ssh. Use the full path for the command, in this case /usr/bin/ssh and click Next.

3. In the Description dialog enter a description for the binary you have selected and click Next.

31


4. In the OS X Application Definition dialog set the Perform Match Using criteria to Exact Match and click Finish. The binary will be added to the group.



7. As a standard user open the Terminal and try running the ssh command. The block message below will be displayed.

Conclusion

In the previous four chapters you’ve edited the Defendpoint Settings by applying rules to preference panes, packages, bundles, and a binary, thereby affecting the standard end user experience.

It would now be worthwhile for you to continue tailoring your Defendpoint Settings with your own applications and use cases. In this fashion you will discover how to manipulate the settings in Defendpoint that are relevant to your organization.

32


Feedback Questions Thank you for evaluating Defendpoint for Mac using this Technical Preview. At the end of the evaluation period (November 30th) we will be arranging a feedback session and this next section is for you to note down any feedback you would like to provide to us.

Configuring Defendpoint for Mac

1. Which OS X applications did you try controlling?

2. Which OS X installations did you try controlling?

3. Were your attempts to achieve what you wanted to successful or not?

a. If not, what difficulties did you run into?

33


Installing & Deploying

1. What tools did you use to install Defendpoint for Mac?

2. What tools did you use to distribute the Defendpoint configuration to your test computers?

Reporting

1. If you rolled out Defendpoint for Mac, what questions would you have about how your OS X computers were operating with Defendpoint?

2. What would you do with the answers to those questions?

34


3. Do you use Avecto Enterprise Reporting currently?

a. How would you see the OS X data fitting in with your Windows data?

Overall experience

1. Thinking about your experience of configuring Defendpoint for OS X, what would you say were the highs and lows?

2. And in terms of the behavior you saw on the OS X computer, was there anything that stood out for you – either positively or negatively?

35


3. If you used the Management Console to configure the Defendpoint for Mac workstyle could you fill out this 10-point questionnaire on how you felt about it? (It should take fewer than 2 minutes to complete): https://www.surveymonkey.com/r/DefendpointForMac

4. How do you see Defendpoint for Mac fitting into your organization?

a. What aspects of Defendpoint for Mac do you think would work really well for your organization?

b. What aspects of Defendpoint for Mac do you think would present difficulties for your organization?

https://www.surveymonkey.com/r/DefendpointForMac

36


c. Would you consider using Defendpoint on Macs in your business?

i. How soon might you consider that?

ii. What would your primary objectives be for using Defendpoint for Mac?

iii. What blockers would there be?

iv. How big would your deployment be were you to use it?

37


5. Do you have any other questions about the Defendpoint for Mac?

38


Support For any support information please contact the Avecto Support desk using the following contact methods:

Europe +44 (0) 845 519 0724

Americas +1 978 703 4165

Asia +81 345 789 386

Australia +61 399 883 844

Email [email protected]

Portal: https://connect.avecto.com

If you want to feedback to product support about the reason for the inclusion of a new feature for example, ask about a use case that you believe hasn’t been achieved or ask about functionality, please contact us at:

[email protected]

mailto:[email protected]

https://connect.avecto.com/

mailto:[email protected]

39


What’s next? For contact information refer to the Avecto + You section of this document.

defendpoint for mac - beyondtrust...standard user account. with defendpoint for mac, you can unlock...

Documents