macOS Client - Install / Uninstall

Prerequisites

Full Disk Access (FDA) must be enabled for the adminbyrequest application, but this can only be done after installation.

The following installation procedure is in three parts: the first outlines downloading and installing the Admin By Request package, the second describes how to enable FDA, and the third outlines the differences between an admin user and a standard user (as well as the need to test the installation as a standard user).

Installing Admin By Request

Installation steps are grouped into the following tasks:

  1. .

    The following procedures describe two ways to install the Mac client:

      1. Sign-in to your Admin By Request account at https://www.adminbyrequest.com/Login.

      2. Download the Mac client from the Download page and store the client file in a suitable temporary location:

      3. Double-click the downloaded package to begin the installation.

      4. Allow the installation to proceed, providing your credentials if necessary:

      5. When done, close the installer and (optionally) move the installer package to the bin.

    2. .

      1. Sign-in to your Admin By Request account at https://www.adminbyrequest.com/Login.

      2. Download the Mac client from the Download page and store the client file in a suitable temporary location:

      3. In Jamf, go to Settings > Computer Management > Packages.

      4. Click New and enter a Display Name.

      5. Click Choose File and browse for the PKG downloaded from the ABR portal:

      6. Click Save.

      7. Now create a new policy in Jamf.
        Enter the Display Name from step 3 above and choose the relevant trigger for your deployment:

      8. Open Packages, and click Configure.

      9. Select the package just created and click Save.

      10. In Scope, choose the devices to which you want to deploy the ABR client.

  2. .

    Immediately after installation, FDA must be enabled to allow Admin By Request to fully protect Mac endpoints.

    NOTE:

    • The adminbyrequest application must be installed first, so that it appears in the list of apps available under Full Disk Access.

    • The procedures below are not sequential - choose one or a combination, depending on your requirements.

    The following procedures describe three ways to enable FDA:

    1. The procedure to enable FDA is slightly different for different macOS versions. The following steps describe how to enable FDA on Apple Macs running:

      • .

        1. On your Mac device, navigate to System Preferences > Security & Privacy > Privacy tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

        2. Select adminbyrequest in the list of apps (ensure the box is checked):

        3. Lock the tab to save changes.

      • .

        1. On your Mac device, navigate to System Settings > Privacy & Security tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

        2. Select adminbyrequest in the list of apps (ensure the box is checked):

        3. Lock the tab to save changes.

      • .

        1. On your Mac device, navigate to System Settings > Privacy & Security tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

        2. Select adminbyrequest in the list of apps (ensure the box is checked):

        3. Lock the tab to save changes.

    2. .

      Jamf uses Configuration Profiles to manage Mac endpoints:

      1. In Jamf, go to Computers > Configuration Profiles.

      2. Create a new profile and configure it as follows:

        1. Name: give the profile a name that helps explain what application it is giving rights to. In this example, we use ABR - PPPC.

        2. Category, select Applications.

        3. Distribution Method, select Install Automatically.

        4. Level, select Computer Level.

      3. Navigate from the General tab to the Privacy Preferences Policy Control tab:

        1. Identifier, enter /Library/adminbyrequest/adminbyrequest.

        2. Identifier Type, select Path.

        3. For Code Requirement, enter the following line of code:

          Copy 
          identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP

        4. Under App or Service, select SystemPolicyAllFiles and under Access, select Allow:

          Under App or Service, select Accessibility and under Access, select Allow:

        5. Save the profile.

      4. Deploy and use this profile to enable FDA for all your macOS endpoints.

    3. .

      Similar to Jamf, Intune uses Configuration Profiles to manage Mac endpoints:

      1. In Intune, under Configuration Profiles, select Create Profile.

      2. Enter the following details into the Create a Profile form:

        • Platform: macOS

        • Profile type: Templates

        • Template name: ABR – FDA

      3. Click Create.

      4. Under Device restrictions, go to Configuration settings.

      5. Select Privacy preferences and click Add:

      6. In the Edit Row form, enter the following:

        • Name: ABR – FDA

        • Identifier type: Path

        • Identifier: /Library/adminbyrequest/adminbyrequest

        • For Code Requirement, enter the following line of code:

          Copy 
          identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP

        7. The completed form:

      7. Finally, select Allow in field Full disk access:

  3. .

    Users logged-in with administrator privileges see the following icon and options from the menu bar:

    Users logged-in with standard privileges see a different icon and menu options:

    To test that Admin By Request is working properly, login to a Mac as a standard user and attempt a task that requires elevated privileges (such as modifying Users/Groups) to test that Admin By Request is working.

Upgrading Admin By Request

You can manually upgrade any client immediately by simply installing the latest version, although upgrading endpoint client software occurs automatically when new versions are released.

Deploying new releases

Admin By Request software updates are deployed by our Auto-Update process. However, when we release a new version we do not deploy it right away to all customers via auto-update. This is simply to mitigate any issues that arise after beta testing.

Our rule-of-thumb is to activate auto-update of new releases within 4 - 8 weeks of release, but this is subject to change, depending on feedback and any potential issues that might arise.

NOTE:

If your Macs are not auto-updating to the latest version of Admin By Request, check the currently installed version on your endpoints. There was an auto-update problem with macOS version 3.2.1 - any Macs running that version of ABR will need to be manually updated.

The problem has been fixed in later versions of Admin By Request (macOS client).

Refer to Resources > Documentation > Release Notes (macOS) for full details on what is covered in each new release.

Uninstalling Admin By Request

IMPORTANT:

If managing macOS endpoints using an MDM (e.g Intune, Jamf or Workspace ONE), a post-uninstall script might be needed to revert at least one user account to admin permissions on each affected endpoint after completing the uninstall steps below.

This will be required only if all accounts have been downgraded to standard users. Check your Mac Settings in the portal (Lockdown > Admin Rights). If setting Revoke admin rights is On and there are no excluded accounts, then all accounts on each managed endpoint will have been downgraded.

Once Admin By Request is removed, the post-uninstall script needs to promote at least one account to admin permissions as in the example:

<script example here>

Three ways to uninstall Admin By Request on a macOS device are described here:

  1. .

    The first few steps in this procedure require access to the portal.

    1. In the Admin By Request portal, navigate to the Inventory page and identify the device on which to perform the uninstall.

    2. Locate the device in the inventory list - in the PIN column, click PIN for that device (columns can be switched around - the PIN column in your portal might not be the right-most column):

    3. Click tab UNINSTALL PIN and then click button Generate PIN:

    4. Back on the device on which you want to uninstall Admin By Request, select the Admin By Request icon from the top menu bar and click About Admin By Request.

    5. In the Uninstall window, select Uninstall from the left button group, enter the PIN copied from the Portal, and click Uninstall:

    1. Create a script in Jamf.
      Go to Settings > Computer Management > Scripts and click New Script.

    2. Enter a name for the script and open it:

    3. For Mode, select Shell/Bash, and enter /Library/adminbyrequest/uninstall:

    4. Click Save to save the script.

    5. Next, create a policy for the deployment of the uninstall script (Remove ABR in this example).
      Enter the display name and choose an appropriate trigger for your deployment:

    6. Open Scripts, and click the + symbol to add:

    7. Add your uninstall script and click Save.

    8. Scope deployment of the script to the correct devices:

  3. .

    Uninstallation using sudo is straightforward for an admin user and simply requires executing an uninstall program once sudo is authorized.

    NOTE:

    The program cannot be run by a standard user during an Admin By Request administrator session. You need to log in as an admin user and also check/modify certain Mac settings in the portal.

    1. Login to the portal and go to Settings > Workstation Settings > Mac Settings.

    2. Select Lockdown in the vertical menu at left and check the Excluded accounts list.

    3. If your admin account is in the Excluded accounts list, continue with the next step. If your account is not in the list, add it and click Save. This must be an account with administrator privileges.

    4. On the Mac(s) to be uninstalled, log in with an account in the list. If you are already logged in, log out and log back in again.

    5. Run the following program on the Macs to be uninstalled:

      sudo /Library/adminbyrequest/uninstall

User rights after installation

When a user logs on, the account is downgraded from Admin to Standard User unless:

  • You have turned off Revoke Admins Rights in the portal settings (Settings Workstation Settings > Mac Settings > Lockdown > ADMIN RIGHTS).

  • Also under Revoke Admins Rights, the user is in the list of Excluded accounts.

  • The computer is domain-joined and the user is a domain administrator.

Please refer to Supplementary Technical Information for more information (section Technical Info).

Tamper Prevention

When a user initiates an administrator session, the user’s role is not actually changed from user to admin. The user is granted all administrator rights, except the right to add, modify or delete user accounts. Therefore, there is no case where the user can create a new account or change their own role and become a permanent administrator.

The user also cannot uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored straight away and the attempted activity is logged.

Mac Performance after Installation

When users are not using Admin By Request, it does not consume resources, except for a brief daily inventory and settings check.

Logging

Client activity and errors are logged in file /var/log/adminbyrequest.log.