EPM FOR MAC RAPID DEPLOYMENT TOOL USER GUIDE

📘

Note

The Rapid Deployment Tool is created and distributed in a DMG file.

1. Once the tool is mounted, a dialog box opens.
2. Drag and drop the application into /Applications/. Alternatively, use an install rule using Endpoint Privilege Management for Mac.

Create a package to deploy Endpoint Privilege Management for Mac settings to your macOS computers. The Base Platform includes settings that are different than Endpoint Privilege Management for Mac policy settings.

1. Start the Rapid Deployment Tool, and then select Privilege Management for Mac Base Platform.
2. On the General tab, configure the following:
   • Prompt users to copy applications into the applications folder: Also known as the MountAssist feature. Select to inspect any mounted DMG volumes the user downloads and opens for applications that are allowed by the policy. If any are found, the user is automatically prompted to choose whether they want to copy the application to the /Applications location.
   • Anonymous Logging: Prevents user/machine identity from being written to audit data. Organizations may need to select this option for legal or other security requirements compliance. This anonymous logging setting is independent of the anonymous logging options residing in the policy.
   • Sudo Management Control: When selected, EPM-M ensures that sudo commands consult the endpoint policy. If no match is found in the policy, then the default sudoers behavior is applied.
   • Show badge icons for all applications: EPM-M allows users to install and remove applications to the /Applications location by use of a context menu in Finder. When this option is selected, users will see a badge icon indicating this option is available to them.
   • Allow biometric authentication in place of password authentication: Select to permit users to authenticate using TouchID authentication rather than a password.
   • Do not allow standard users to modify or remove Privilege Management for Mac: Select to prevent Standard Users from tampering with the EPM-M client, all platform adapters, policies, and settings files.
   • Enable policy rule caching: EPM-M caching detects and stores user actions that have been repeated recently. This improves performance during user actions which require many execution events within a short period of time (for example, compiling software).
   • Enable LegacyUI: Toggle between the new modern UI and the old one. The default state is set to show the new UI. Select Legacy UI to disable the new user interface and revert to the legacy view.
3. On the Policy Sources tab, move the policy source you are using to the top of the list.
   EPM-M can receive policy from multiple sources. The ordered list is the priority order for loading configurations. The first policy provider found is chosen as the active policy source. No other policy sources will be used.
4. On the Controlled Paths tab, add or remove application paths to be controlled by EPM-M.
   The locations listed are subject to Application Control rule processing. If an application is launched from a location which is not in this list, then it will not be subject to Application Control.
5. On the User Messages tab, customize the messages presented to the user by the MountAssist feature.
   You can use the following placeholders for the message format: [APP_NAME] and [MOUNT_NAME].
6. After you select options, click Export.
7. Select to save the settings to a file or export to Jamf.
8. Select a folder for the output file.
   The name of the file generated is always the same. If you select a folder that already contains a file of the same name, you cannot continue.

Create a package that provides the configuration settings for macOS computers to communicate to the EPM instance. A package can be created for EPM on-premises or EPM platforms.

Optionally, configure the settings at the same time as the platform. Settings for both can then be included in the same package.

1. Start the Rapid Deployment Tool, then select the Privilege Management Console platform.

2. Configure the following settings:

   • Tenant ID: GUID found on the EPM portal (environment to connect to).
   • Installation ID: GUID found on the EPM portal (environment to connect to).
   • Installation Key: GUID found on the EPM portal (environment to connect to) .
   • Service URI: The URL for your EPM instance. Usually in the format of https://pmcqa.epm.beyondtrustcloud.com. The URL is provided by the EPM system administrator.
   • Group ID: Optional. GUID. If defined, the endpoint will be automatically assigned to that specific group.
   • CA Certificate ID: Optional. The SHA-1 of a root Certificate Authority (CA) certificate or not specified when using a globally signed certificate.
   • CA Certificate: Optional. If the webserver certificate is not signed by a globally trusted CA, the CA certificate must be distributed to the endpoints so that the system accepts the SSL negotiation. We do not recommend using self-signed certificates. At a minimum, use a privately managed CA.

3. Select the settings to export: management platform, the base platform, or both.

4. Click Export, then select Package or Jamf.

5. Save the file.

Create a package that provides the configuration settings for macOS computers to communicate to the BeyondInsight instance.

Optionally, configure the Privilege Management for Mac settings at the same time as the platform. Settings for both can then be included in the same package.

1. Start the Rapid Deployment Tool, and then select the BeyondInsight platform.
2. Configure the following settings for the BeyondInsight platform:
   • URL: The URL to the BeyondInsight server that is used for Central Policy management.
   • Cert Name: The name of the BeyondInsight client certificate used to communicate with BeyondInsight. The certificate file name is eEyeEMSClient.
   • Workgroup: The name of the Workgroup that is sent to BeyondInsight to assist when grouping assets.
   • Heartbeat Interval: The frequency interval, in minutes, to send a heartbeat to BeyondInsight. The heartbeat check ensures the endpoint can communicate to BeyondInsight.
   • Policy Interval: The frequency interval, in minutes, to poll for new policies.
   • Policy Interval Variance: The upper limit of random number of minutes to add on to the policy interval to prevent overloading the server.
   • Add client certificate: The name of the BeyondInsight client certificate used to communicate with BeyondInsight. The certificate file name is eEyeEMSClient. You can use a partial certificate name that enable connections to an endpoint. Use wildcards to set a partial certificate name, for example, Hostname.EyeEmsClient, can be matched with *.EyeEmsClient or *.?yeEmsClient.
3. Select the settings to export: management platform, the base platform, or both.
4. Click Export, and then select Package or Jamf.
5. Save the file.

When the Rapid Deployment Tool connects to a Jamf instance, the currently configured file share distribution points are retrieved. Ensure file share distribution points are already configured in Jamf before proceeding.

1. After you enter platform settings, click Export, and then select Jamf.
2. Enter the URL and user credentials for Jamf.
3. Select Remember my URL and username to retain the instance connection details. The connection details are remembered when the Rapid Deployment Tool restarts.

After you successfully connect to a Jamf instance, create a Jamf policy. The policy and package are exported to the instance at the same time.

You can deploy the policy you create here to additional groups in the future using the Jamf web interface.

Policy names must adhere to the following rules:

• Must be plain text using standard characters.
• Cannot use emojis or characters more than 1 byte in size.
• Cannot duplicate policy names already in Jamf. Entering a duplicate name results in an error.

ℹ️

Note

For more information, see UTF-8 decoder capability and stress test.

1. Enter a policy name.

2. Enter the fileshare distribution point (FDP).

3. Optionally, click Deploy to Group to display a list of groups in Jamf. The group must already exist in your Jamf environment. Select a group, and then select Deploy Now to push the policy and .pkg to the endpoints in the group.

4. If you do not want to select a group in Jamf, click Deploy Now.

5. You might be required to enter credentials (core macOS prompt) to connect to the FDP so the tool can copy the .pkg to the SMB share. Enter credentials for the FDP. A progress bar indicates the progress of the deployment to the FDP and the upload of the policy to Jamf.

ℹ️

Note

Jamf assumes a setup of a primary FDP and then mirrors. The policy uploaded to Jamf will reference the .pkg location as being on the primary FDP. If the set up is incorrect, then the .pkg will not deploy.