In some scenarios, it is necessary to create Sudo rules in EPM macOS to allow specific executions that cannot be bypassed. These rules must be configured with caution, ensuring that they only address the identified need without creating security gaps.
How to assess the need for a SUDO rule
- Analyze whether the issue can be resolved without using SUDO (e.g., permission adjustments or execution alternatives).
- If not possible, determine which command requires privilege elevation.
- Define whether the rule will be applied to a specific user or a segregation (User or Device).
- Plan the removal of the rule after execution if it is a one-time requirement.
How to configure SUDO rules in EPM
- In Segura®, go to the Product Menu and navigate to EPM > Policies > macOS > Sudo Rules.
- Click Add to create a new rule.
- Fill in the required fields:
- Command: enter the exact command or use wildcards or regex when necessary.
*(wildcard): matches any value.^regex$: defines exact matching between start (^) and end ($).
Regarding regex in SUDO: in SUDO rules, the matching mechanism uses POSIX regular expressions (not PCRE2). Use POSIX syntax when defining patterns.
- Segregation: define whether the rule will apply to all users or only to specific profiles.
- Comments: record the justification for the rule to ensure traceability.
- Command: enter the exact command or use wildcards or regex when necessary.
- Save the configuration and activate the rule.
For support in creating expressions, refer to the official Apple documentation on regex.