How to identify and configure Authorization Rights in EPM macOS

macOS uses Authorization Rights to control the execution of actions that require privileges. Each software can request specific rights from the operating system or define its own. In EPM macOS, these rights can be configured and monitored to ensure secure usage.

How the authorization flow works

1. A right is requested (Mac Authorization Right Requested)

   • The system displays an authentication window.
   • The user must enter their local credentials.

2. The right is extended (Mac Authorization Right Extended)
   Non-administrative users, upon successful authentication, receive a temporary right to perform the action.

3. Execution occurs with administrative rights (Mac Authorization Right Granted)
   Based on valid authentication and a configured rule in EPM, the permission is granted and the action is executed.

4. In case of failure, the right is denied (Mac Authorization Right Denied)

   • This happens when:
     • The right is not defined in the policies.
     • The user enters incorrect credentials.

Configure Authorization Rights in EPM

1. In Segura®, from the Products menu, go to: EPM > Policies > macOS > Authorization Rights.
2. Click Add to register a new right.
3. Choose the type of Segregation.
4. Fill in the required fields:
   • Authorization Right*: Identifier of the action (e.g., com.apple.installassistant.macos).*
   • Signature: Digital signature that validates the process.
   • Execution Path: Full path of the binary requesting the right.
5. Save the configuration and enable the rule.
6. Test the software execution to validate if the right has been correctly applied.

Practical Example

• User attempting to upgrade to macOS Sequoia
  • Action on use: com.apple.installassistant.macos