Mac Client - Install / Uninstall

Prerequisites

Admin By Request supports the following macOS versions:

  • macOS 10.15 (Catalina)

  • macOS 11 (Big Sur)

  • macOS 12 (Monterey)

  • macOS 13 (Ventura)

  • macOS 14 (Sonoma)

Installation may work on macOS 10.12 (Sierra) through 10.14 (Mojave), but product development and testing is not done on these versions and they are not officially supported.

Note that certain Mac 5.0 features, such as Admin Auditing and the new app installation flow, require macOS 11 or higher.

Your Tenant License

The installer file downloaded from the portal is unique to your tenant. Depending on the target operating system, it can be an executable file, a package or a script and it is signed with a license that applies only  to installers downloaded from the tenant in which you are currently logged-in. The same license file is applied to each of the operating system client installers: Windows, macOS, Linux and Server.

This is true for free plans as well as paid plans.

When installed on an endpoint, once the endpoint connects successfully, you will see in real time the status of the endpoint in your Inventory, which is also unique to your tenant. You will not see other endpoints installed with files downloaded from other tenants - this is simply not possible.

Admin By Request System Extension

Admin By Request 5.0 and higher includes an optional system extension to add additional functionality to the client – including intuitive installation of applications and additional admin entries for the auditlog.

To utilize this functionality, the system extension must be enabled and granted the correct permission.

KEY POINT:

If using other system extensions or real time scanning solutions like Microsoft Defender, CrowdStrike etc., please be aware that these can potentially conflict with each other.

Refer to Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS for further details.

Full Disk Access (FDA)

Full Disk Access (FDA) must be enabled for both the adminbyrequest  application and the Admin By Request System Extension.

IMPORTANT:

The order of installation tasks matters and it differs depending on manual installation of a single endpoint, or automated installation of multiple endpoints via an MDM such as Jamf or Intune.

Installing Admin By Request

There are two procedures described - the first covering manual installation of one endpoint at a time and the second for the automated installation of multiple endpoints.

Single endpoint installation (manual)

This procedure describes how to manually install the Mac client on a single endpoint.

NOTE:

The following needs to be enabled on devices running ABR Mac 5.0 or later:

  • With System Extension:

    • Allow the Admin By Request System Extension
      (during installation - Download and install step 5)

    • Enable Full Disk Access to “adminbyrequest”
      (after installation - Enable FDA for two apps)

    • Enable Full Disk Access to the “Admin By Request System Extension”
      (after installation - Enable FDA for two apps)

  • Without System Extension:

    • Enable Full Disk Access to “adminbyrequest”
      (after installation - Enable FDA for two apps)

Multiple endpoint installation (automated via MDM)

This procedure describes how to install the Admin By Request Mac client on multiple endpoints using an MDM such as Jamf or Intune. The examples here use Jamf but the same Code Requirements can be used with any MDM.

NOTE:

For the Mac 5.0 client, we supply two configuration files to help with allowing the Admin By Request System Extension and enabling Full Disk Access for two apps. These are:

  1. AdminByRequest - System Extension.mobileconfig (optional)

  2. AdminByRequest - FDA PPPC_v2.mobileconfig

Download both in a zip file here.

These configuration files must be deployed in your MDM scripts before installing (or upgrading to) Admin By Request Mac 5.0. Failure to do so means the new features in the Mac 5.0 client will not work.

Upgrading Admin By Request

You can manually upgrade any client immediately by simply installing the latest version, although upgrading endpoint client software occurs automatically when new versions are released.

Deploying new releases

Admin By Request software updates are deployed by our Auto-Update process. However, when we release a new version we do not deploy it right away to all customers via auto-update. This is simply to mitigate any issues that arise after beta testing.

Our rule-of-thumb is to activate auto-update of new releases within 4 - 8 weeks of release, but this is subject to change, depending on feedback and any potential issues that might arise.

Contact us if you wish to receive the latest version right now. You can also raise a support ticket requesting the latest update.

Refer to the Download Archive for previous versions of Admin By Request.

NOTE:

If your Macs are not auto-updating to the latest version of Admin By Request, check the currently installed version on your endpoints. There was an auto-update problem with macOS version 3.2.1 - any Macs running that version of ABR will need to be manually updated.

The problem has been fixed in later versions of Admin By Request (macOS client).

For more information

Refer to Synchronizing Clients with the Portal for a description of how endpoint clients communicate with the portal inventory.

Refer to Release Notes (macOS) for details on what is covered in each new release.

Uninstalling Admin By Request

IMPORTANT:

If managing macOS endpoints using an MDM (e.g Intune, Jamf, Workspace ONE etc.), a post-uninstall script might be needed to revert at least one user account to admin permissions on each affected endpoint after completing the uninstall steps below.

This will be required only if all accounts have been downgraded to standard users. Check your Mac Settings in the portal (Lockdown > Admin Rights). If setting Revoke admin rights is On and there are no excluded accounts, then all accounts on each managed endpoint will have been downgraded.

Once Admin By Request is removed, the post-uninstall script needs to promote at least one account to admin permissions. Refer to (external) page Script to revoke or grant admin rights to standard users in macOS for an example.

The following procedures describe three ways to uninstall Admin By Request on a Mac:

These procedures are not sequential - pick one or a combination of all three, depending on your requirements.

User rights after installation

When a user logs on, the account is downgraded from Admin to Standard User unless:

  • You have turned off Revoke Admins Rights in the portal settings (EPM > Settings > WindowsMacLinux Settings > Lockdown > ADMIN RIGHTS).

  • Also under Revoke Admins Rights, the user is in the list of Excluded accounts.

  • The computer is domain-joined and the user is a domain administrator.

Please refer to Supplementary Technical Information for more information.

Tamper Prevention

When a user initiates an administrator session, the user’s role is not actually changed from user to admin. The user is granted all administrator rights, except the right to add, modify or delete user accounts. Therefore, there is no case where the user can create a new account or change their own role and become a permanent administrator.

The user also cannot uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored straight away and the attempted activity is logged.

Mac Performance after Installation

When users are not using Admin By Request, it does not consume resources, except for a brief daily inventory and settings check.

Logging

Client activity and errors are logged in file /var/log/adminbyrequest.log.