DocumentationAPI ReferenceRelease Notes
Release Notes
Back to All

Endpoint Privilege Management for Mac 25.8

about 3 hours ago

November 4, 2025

🆕 New features

Identity authentication

In this release, we are introducing an identity authentication feature integrating Endpoint Privilege Management for Mac with Microsoft Entra ID. This means your users can now confirm their Entra ID identity right from the menu bar dropdown or through EPM messages. Once verified, policies can use your Entra ID group membership to manage access.

For admins, it’s now possible to set up Entra ID groups for Mac workstyles. Plus, EPM events will include user email addresses after identities are confirmed making tracking and management easier.

📘

For more information, see the EPM for Windows and Mac (Cloud and Pathfinder) 25.8.840 release notes.

Policy hash

Introduced policy file validation when downloading a new policy from EPM Cloud using the policy hash value to prevent potential vulnerability. The EPM for Mac adapter cannot download the policy if the hash is not present.

🛠️ Issues resolved

DescriptionResolution
Local Admin is blocked from running sudo commandsElevated users and SSH admins now cannot execute actions on BeyondTrust install paths when anti-tamper is enabled.
Standard users with JIT admin and anti-tamper activated, could change permissions of files in /Library/Application/Support/AvectoStandard users with JIT admin and anti-tamper active can no longer change permissions in this directory.
EPM-M inadvertently controlling the authorization right that allows standard users to kill root processes in Activity Monitor app.Resolved from macOS Sequoia and later.
EPM-M component com.beyondtrust.epm.gui logs were excluded from Capture Config logs when "Defendpoint" only logs are selected.The com.beyondtrust.epm.gui logs are now recorded.
Standard users allowed to run permissive sudo commands could change the file permissions of EPM-M uninstall scripts.We now ensure access to installation paths is not permitted when users are allowed to run sudo commands.
defendpointd was applying incorrect permissions when recreating the BIAudit folder at /Library/Application Support/Avecto/BIAudit.Resolved an issue where defendpointd was applying incorrect permissions when re-creating the BIAudit folder at /Library/Application Support/Avecto/BIAudit.
Admin requests older than 90 days become out of sync with EPM causing users to be unable to use the request.Users can now create a new request.
Unexpected results when removing a right from the AlwaysAllowRight section and adding to the IgnoreRights section.Resolve an issue when authorization rights were being moved from Custodians IgnoreList to AlwaysAllowRootRights, causing the authorization right to have the incorrect delegates controlling the right.
Audit event 120 (process-start-cancelled-by-user) not raised when a user cancels a JIT application access request.The event is now raised so admins can see when a request was generated but then canceled by the user.
Support for macOS 26Endpoint Privilege Management for Mac now supports macOS 26 Tahoe, resolving the incorrect macOS name in EPM and issues with the BeyondTrust application when on macOS Tahoe.

🔄 Compatibility

  • EPM Policy Editor 25.8
  • Privilege Management ePO Extension 25.8
  • Privilege Management Console Adapter 25.8
  • BeyondInsight/Password Safe 24.3
  • Trellix Agent 5.7+

macOS Compatibility

  • macOS 13 Ventura
  • macOS 14 Sonoma
  • macOS 15 Sequoia

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.