Endpoint Privilege Management for Mac 26.1

✨ Enhancements

Improved Identity authentication

Improve Identity authentication for Windows and Mac by updating Entra ID User group information when EPM policies are updated and making the periodic Entra ID User group information configurable between 4 and 24 hours.

For more information, see Identity authentication.

Updated Agent Protection

In some cases, users could bypass Endpoint Privilege Management for Mac Agent protection after the user gained access to root terminals. We’ve updated the agent protection feature so this access can no longer occur.

🛠️ Issues resolved

Description	Resolution
Sparkle self‑updaters could fail when settings were deployed via RDT due to incorrect Custodian.plist settings.	Improved compatibility for Sparkle-based app updates when deploying settings via RDT.
In some Just‑In‑Time (JIT) Admin sessions with Anti‑Tamper enabled, users with temporary admin rights could remove the /Library/LaunchDaemons and /Library/LaunchAgents folders	Updated anti-tamper protection so users with temporary admin access in JIT Admin sessions can no longer remove critical system folders.
The approval duration text shown to end users for Just‑In‑Time (JIT) Application Access requests was fixed in English and could not be customized or translated	Can now customize the text “Body Approval Details Text (One-Time Use)” and “Body Approval Details Text (Set Duration) for JIT Application Request Messages.This includes a new parameter [PG_EXPIRY_TIME] to be used in JIT Application Request Messages.
In the BT App, JIT Admin requests were not ordered by the create date.	Updated the BT App to ensure JIT Admin requests are ordered by creation date instead of last request to be updated.
Anti-Tamper was not preventing standard users from running the EPM-M uninstall script if they obtained the inode of the file.	Enhanced Anti‑Tamper protections so standard users cannot trigger the uninstall script by inode or similar indirect methods, preventing unauthorized partial uninstalls.
Messages configured for “Reason + Password or Touch ID” could be approved using only the reason field when Touch ID was not configured, allowing users to bypass the password requirement.	Updated EPM dialogs so that when Touch ID is unavailable, the password fallback is always enforced and users can no longer approve these prompts with reason only.
Activity Monitor on macOS Tahoe, when users attempt to terminate processes that are running as root, users were prompted to enter “Creator Group” credentials rather than Administrative user details.	Corrected the Activity Monitor elevation flow so users are now prompted for the expected administrator credentials when terminating root processes.
Anti‑Tamper rules blocked legitimate, non‑malicious commands even when run from a root shell.	Updated Anti-tamper protection so that root processes can query EPM versions and use the pmfm binary.
When the BI adapter was unable to obtain an OAuth token on startup due to network issues, would cause the BI Adapter fail to communicate to BI.	The BI adapter attempts to obtain an OAuth token if the first attempt is not successful.
EPM-M takes control over right psso-screensaver-mscp, causing some users to get stuck on the lock screen after reboot.	The psso-screensaver-mscp right is excluded from EPM‑M control, allowing users to unlock the screen normally.
The EPM uses excess memory after thousands of audit events are created quickly.	Resolved memory usage in EPM to ensure memory is correctly reclaimed during added excess load operation.
On some endpoints left idle for extended periods, the EPM adapter was unable to download policy.	Improved EPM Cloud adapter handling policy communication so the adapter continues to download and update reliably after the device wakes from idle or sleep.
Computer group changes are sometimes not reflected when using "Refresh all policies".	Updated “Refresh all Policies” in the EPM-M menu bar now allows faster policy download when an endpoint has moved Computer Groups in EPM Cloud.

🗒️Notes

View related releases: