Mac Client - Install / Uninstall

Prerequisites

Admin By Request for Mac 5.2 supports the following macOS versions:

  • macOS 14 (Sonoma)

  • macOS 15 (Sequoia)

  • macOS 26.2 (Tahoe)

Installation might work on macOS 11 (Big Sur) through 13 (Ventura), but product development and testing is no longer done on these versions and they are not officially supported.

IMPORTANT

Unless specifically prevented in portal settings, the installation process reverts the user performing the installation to a standard user. Therefore, if performing a manual installation on a standalone Mac, make sure you have an additional admin user configured before starting the install.

This is not an issue for Macs connected to a domain, where a domain admin account will always be available.

Your Tenant License

The installer file downloaded from the portal is unique to your tenant. Depending on the target operating system, it can be an executable file, a package or a script and it is signed with a license that applies only  to installers downloaded from the tenant in which you are currently logged-in. The same license file is applied to each of the operating system client installers: Windows, macOS, Linux and Server.

This is true for free plans as well as paid plans.

When installed on an endpoint, once the endpoint connects successfully, you will see in real time the status of the endpoint in your Inventory, which is also unique to your tenant. You will not see any endpoints installed with files downloaded from other tenants - this is simply not possible.

Admin By Request System Extension

Admin By Request for Mac 5.0 and higher includes an optional system extension to add additional functionality to the client – including intuitive installation of applications and additional admin entries for the auditlog.

To use this functionality, the system extension must be enabled and granted the correct permission.

If using other system extensions or real time scanning solutions like Microsoft Defender, CrowdStrike etc., please be aware that these can potentially conflict with each other. At the time of writing, all known conflicts with the Admin By Request client have been resolved.

Refer to Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS for further details.

Full Disk Access (FDA)

Full Disk Access (FDA) must be enabled for both the adminbyrequest  application and the Admin By Request System Extension.

IMPORTANT

The order of installation tasks matters and it differs depending on manual installation of a single endpoint, or automated installation of multiple endpoints via an MDM such as Jamf or Intune.

On macOS 26.1 and 26.2, the privacy settings picker can fail to list binaries even when they are present. This behavior is fixed in macOS 26.3 and later.

If you are configuring Full Disk Access on macOS 26.1 or 26.2, use drag-and-drop of the required binary as a temporary workaround.

Installing Admin By Request

There are two procedures described - the first covering manual installation of one endpoint at a time and the second for the automated installation of multiple endpoints.

Single endpoint installation (manual)

This procedure describes how to manually install the Mac client on a single endpoint.

  1. If you haven't already, login to the Admin By Request portal.

  2. In the portal, click the Download menu link to download the Mac endpoint client and store the file in a suitable location:

  3. Click (or double-click) the downloaded package to begin the installation.

    The package runs a check to determine if Admin By Request can be installed:

  4. Allow and Continue with the installation, providing Administrator credentials if necessary:

  5. When done, close the installer and (optionally) move the installer package to the bin:

    The user experience on first-time use

    A number of things occur once Admin By Request is installed:

    1. The Admin By Request icon will be red initially (indicating elevated rights), but it will then change color (to black or white) as admin rights are removed.

      This occurs without needing a restart. An important consequence is that any operations requiring elevated privileges from now on need admin credentials, including responding to the Login Items & Extensions prompt coming up next (only a consideration for single endpoint installs - does not apply to MDM installations).

      Also does not apply if local admin rights are not revoked or if the user installing is listed in the excluded accounts (see portal setting Endpoint Privilege Management > Settings > Mac Settings > Lockdown > ADMIN RIGHTS).

    2. Several prompts appear, requesting authorization from the logged-in user.

      The first of these is the endpoint security extension prompt. When this appears, click Open System Settings:

    3. In Login Items & Extensions, enable the Admin By Request System Extension and click Done:

    4. From Admin By Request version 5.2, if the endpoint is enrolled in Secure Remote Access (portal setting Settings > Product Enrollment > SECURE REMOTE ACCESS - see Product Enrollment Example 2 for a scope example), an Accessibility Access prompt will appear:

      When this appears, click Open System Settings, go to Privacy & Security > Accessibility and enable Admin By Request SRA:

      This is a first-use, one-time-only prompt raised by the macOS operating system that allows Admin By Request SRA to run on the endpoint.

      NOTE

      • If installing Admin By Request via MDM and the endpoint is enrolled in Secure Remote Access at the time of installation, this prompt will not appear.

      • If the endpoint is not enrolled in Secure Remote Access, this prompt will not appear. However, if the endpoint is enrolled at some point in the future, the prompt will appear the first time a user logs in after enrollment.

    5. When the Screen Recording prompt appears, click Open System Settings:

      In Screen & System Audio Recording, enable Admin By Request:

Installation is now complete. Keep System Settings open and go to the next step, which is to ensure that Full Disk Access (FDA) is enabled for Admin By Request.

Following installation of the endpoint client, both the adminbyrequest executable and the Admin By Request System Extension need full disk access.

  • adminbyrequest - The main app for enabling Admin By Request endpoint client features, including the ability to drag a file over the ABR icon in the dock to elevate privileges.

  • Admin By Request System Extension - The extension app provides a range of functionality; the main feature being the ability to install an app by dragging its icon over the Applications folder (which also requires operating system version macOS 11+).

The installation process should correctly configure Full Disk Access for both - if it does not, or if you wish to check, use the following procedure.

The procedure to enable FDA is slightly different for different macOS versions. The following steps describe how to enable FDA on endpoints running macOS 11 (Big Sur) and macOS 12 (Monterey), and then for endpoints running macOS 13 (Ventura) through macOS 26 (Tahoe).

  1. On your Mac device, navigate to System Preferences > Security & Privacy > Privacy tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

  2. Select both adminbyrequest and Admin By Request System Extension in the list of apps (i.e. ensure the boxes are checked):

  3. Lock the tab to save changes and close the System Preferences window.

  1. On your Mac device, navigate to System Settings > Privacy & Security tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

  2. Enable the Admin By Request System Extension:

  3. Drag and drop the adminbyrequest executable from Finder into the Full Disk Access list in System Settings. Note that this step is not required in macOS 26.3 or above.

That completes the requirements for enabling both the Endpoint Privilege Management and Secure Remote Access components of Admin By Request.

Users logged-in with administrator privileges see the following icon and options from the menu bar:

Users logged-in with standard privileges see a different icon and menu options:

To test that Admin By Request is working properly, login to a Mac as a standard user and attempt a task that requires elevated privileges (such as modifying Users/Groups) to test that the product is working.

Refer to Using Run As Admin and Requesting Administrator Access for more information on tasks that require elevated privileges.

Multiple endpoint installation (automated via MDM)

This procedure describes how to install the Admin By Request Mac client on multiple endpoints using an MDM such as Jamf or Intune. The examples here use Jamf but the same Code Requirements can be used with any MDM.

We supply two configuration files to help with allowing the Admin By Request System Extension and enabling Full Disk Access for two apps. One is for Endpoint Privilege Management (EPM) and the other is for Secure Remote Access (SRA).

IMPORTANT

If you used the old config files (AdminByRequest - FDA PPPC_v2.mobileconfig and AdminByRequest - System Extension.mobileconfig), you must delete them before installing the EPM configuration provided here. Do not simply deploy over the top - delete the old files first, then deploy the new files.

This applies to the EPM config, which replaces both the old files. The SRA config is entirely new.

  • Admin By Request - EPM.mobileconfig

    Pre-approves Admin By Request background components and system extension, and grants the core permissions needed for Endpoint Privilege Management (including Full Disk Access).

    Copy 
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadDescription</key>
                <string>This profile controls the Background Service for Admin By Request</string>
                <key>PayloadDisplayName</key>
                <string>Service Management - Managed Login Items</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.servicemanagement.C507C35D-E60C-4257-981A-717B4CC41FF8</string>
                <key>PayloadType</key>
                <string>com.apple.servicemanagement</string>
                <key>PayloadUUID</key>
                <string>C507C35D-E60C-4257-981A-717B4CC41FF8</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>Rules</key>
                <array>
                    <dict>
                        <key>Comment</key>
                        <string>Admin By Request</string>
                        <key>RuleType</key>
                        <string>TeamIdentifier</string>
                        <key>RuleValue</key>
                        <string>AU2ALARPUP</string>
                    </dict>
                </array>
            </dict>
            <dict>
                <key>PayloadDescription</key>
                <string>This profile activates the System Extension for Admin By Request</string>
                <key>PayloadDisplayName</key>
                <string>System Extensions</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.system-extension-policy.62A826CC-0D29-44BB-B5B5-FAC42E99947E</string>
                <key>PayloadType</key>
                <string>com.apple.system-extension-policy</string>
                <key>PayloadUUID</key>
                <string>62A826CC-0D29-44BB-B5B5-FAC42E99947E</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>AllowedSystemExtensions</key>
                <dict>
                    <key>AU2ALARPUP</key>
                    <array>
                        <string>com.fasttracksoftware.adminbyrequest.extension</string>
                    </array>
                </dict>
                <key>NonRemovableFromUISystemExtensions</key>
                <dict>
                    <key>AU2ALARPUP</key>
                    <array>
                        <string>com.fasttracksoftware.adminbyrequest.extension</string>
                    </array>
                </dict>
            </dict>
            <dict>
                <key>PayloadDescription</key>
                <string>This profile gives Full Disk Access for Admin By Request</string>
                <key>PayloadDisplayName</key>
                <string>Admin By Request - PPPC - Profile</string>
                <key>PayloadIdentifier</key>
                <string>CD46DC4F-F31B-4313-9D27-3BA64CF9B088</string>
                <key>PayloadOrganization</key>
                <string>AdminByRequest</string>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadUUID</key>
                <string>664A197C-574B-4164-AB09-54C95D47A412</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>Services</key>
                <dict>
                    <key>Accessibility</key>
                    <array>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>anchor apple generic and identifier "com.fasttracksoftware.adminbyrequest.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP)</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>com.fasttracksoftware.adminbyrequest.extension</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                        </dict>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>/Library/adminbyrequest/adminbyrequest</string>
                            <key>IdentifierType</key>
                            <string>path</string>
                        </dict>
                    </array>
                    <key>SystemPolicyAllFiles</key>
                    <array>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>anchor apple generic and identifier "com.fasttracksoftware.adminbyrequest.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP)</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>com.fasttracksoftware.adminbyrequest.extension</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                        </dict>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>/Library/adminbyrequest/adminbyrequest</string>
                            <key>IdentifierType</key>
                            <string>path</string>
                        </dict>
                    </array>
                    <key>SystemPolicySysAdminFiles</key>
                    <array>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>anchor apple generic and identifier "com.fasttracksoftware.adminbyrequest.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP)</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>com.fasttracksoftware.adminbyrequest.extension</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                        </dict>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>/Library/adminbyrequest/adminbyrequest</string>
                            <key>IdentifierType</key>
                            <string>path</string>
                        </dict>
                    </array>
                </dict>
            </dict>
        </array>
        <key>PayloadDescription</key>
        <string>This profile enables the System Extension, Background Service and Full Disk Access for Admin By Request</string>
        <key>PayloadDisplayName</key>
        <string>Admin By Request</string>
        <key>PayloadIdentifier</key>
        <string>com.adminbyrequest.DB2FE7D4-1216-40CE-B3F1-49D794398837</string>
        <key>PayloadOrganization</key>
        <string>Admin By Request</string>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>DB2FE7D4-1216-40CE-B3F1-49D794398837</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
    </plist>

  • Admin By Request SRA.mobileconfig

    Prepares Secure Remote Access permissions, including Screen Recording, Accessibility, and Automation permissions used during remote session handover.

    Copy 
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadDescription</key>
                <string>This profile gives Accessibility permissions for Admin By Request Secure Remote Access</string>
                <key>PayloadDisplayName</key>
                <string>Admin By Request SRA - PPPC</string>
                <key>PayloadIdentifier</key>
                <string>ECE51A1F-BCAD-493B-B74D-2BB6716B62FC</string>
                <key>PayloadOrganization</key>
                <string>Admin By Request</string>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadUUID</key>
                <string>F9CB408E-F143-474C-9DD4-833B9D75F135</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>Services</key>
                <dict>
                    <key>Accessibility</key>
                    <array>
                        <dict>
                            <key>Authorization</key>
                            <string>Allow</string>
                            <key>CodeRequirement</key>
                            <string>anchor apple generic and identifier "com.fasttracksoftware.adminbyrequest.RemoteAgent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP)</string>
                            <key>Comment</key>
                            <string></string>
                            <key>Identifier</key>
                            <string>com.fasttracksoftware.adminbyrequest.RemoteAgent</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                        </dict>
                    </array>
                </dict>
            </dict>
        </array>
        <key>PayloadDescription</key>
        <string>This profile gives Accessibility permissions for Admin By Request Secure Remote Access</string>
        <key>PayloadDisplayName</key>
        <string>Admin By Request SRA - PPPC</string>
        <key>PayloadIdentifier</key>
        <string>com.adminbyrequest.ECE51A1F-BCAD-493B-B74D-2BB6716B62FC</string>
        <key>PayloadOrganization</key>
        <string>Admin By Request</string>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>E39B5DD3-61E9-46CD-9B3A-9D96BF9D7E88</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
    </plist>

Expand and copy these files, or you can download both in a zip file here.

If this is the first time using these configuration files, they must be deployed in your MDM scripts before installing Admin By Request.

The important step in this procedure is the last one - deploy the config profile. Skip the rest of this procedure unless you want to understand how the Admin By Request config files were created.

The config files supplied were built in Jamf as follows:

  1. In Jamf, go to Computers > Configuration Profiles.

  2. Create a new profile and configure it as follows:

    1. Name: give the profile a name that helps explain what application it is giving rights to. In this example, we use ABR - PPPC.

    2. Category, select Applications.

    3. Distribution Method, select Install Automatically.

    4. Level, select Computer Level.

  3. Navigate from the General tab to the Privacy Preferences Policy Control tab:

    1. Identifier, enter /Library/adminbyrequest/adminbyrequest.

    2. Identifier Type, select Path.

    3. For Code Requirement, enter the following line of code:

      Copy 
      anchor apple generic and identifier "com.fasttracksoftware.adminbyrequest.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP)
      IMPORTANT

      The code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.

      For example:

    4. Under App or Service, select SystemPolicyAllFiles and under Access, select Allow:

      Under App or Service, select Accessibility and under Access, select Allow.

    5. For Code Requirement, enter the following line of code:

      Copy 
      identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
      IMPORTANT

      The code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.

      For example:

    6. Save the profile.

  4. Deploy the profile using Jamf (or your MDM) to allow the System Extension and enable FDA for all your macOS endpoints.

This procedure describes how to create and deploy an Admin By Request installation package.

Make sure that deployment of the installation package comes after deployment of the Admin By Request config files.

  1. Sign-in to your Admin By Request account at https://www.adminbyrequest.com/Login.

  2. Download the Mac client from the Download page and store the client file in a suitable temporary location.

  3. In Jamf, go to Settings > Computer Management > Packages.

  4. Click New and enter a Display Name (e.g. ABR 5.0.0).

  5. Click Choose File and browse for the PKG downloaded from the ABR portal:

  6. Click Save.

  7. Now create a new policy in Jamf.
    Enter the Display Name from step 3 above and choose the relevant trigger for your deployment:

  8. Open Packages, and click Configure.

  9. Select the package just created and click Save.

  10. In Scope, choose the devices to which you want to deploy the ABR client.

  11. Deploy the package.

Users logged-in with administrator privileges see the following icon and options from the menu bar:

Users logged-in with standard privileges see a different icon and menu options:

To test that Admin By Request is working properly, login to a Mac as a standard user and attempt a task that requires elevated privileges (such as modifying Users/Groups) to test that the product is working.

Refer to Using Run As Admin and Requesting Administrator Access for more information on tasks that require elevated privileges.

The user experience on first-time use

Although much of the installation and deployment can be automated via your MDM, there are still several actions required by the user at the endpoint, depending on whether or not the device is enrolled in Secure Remote Access:

  1. From Admin By Request version 5.2, if the endpoint is enrolled in Secure Remote Access (portal setting Settings > Product Enrollment > SECURE REMOTE ACCESS - see Product Enrollment Example 2 for a scope example), an Accessibility Access prompt will appear:

    When this appears, click Open System Settings, go to Privacy & Security > Accessibility and enable Admin By Request SRA:

    This is a first-use, one-time-only prompt raised by the macOS operating system that allows Admin By Request SRA to run on the endpoint.

    NOTE

    • If installing Admin By Request via MDM and the endpoint is enrolled in Secure Remote Access at the time of installation, this prompt will not appear.

    • If the endpoint is not enrolled in Secure Remote Access, this prompt will not appear. However, if the endpoint is enrolled at some point in the future, the prompt will appear the first time a user logs in after enrollment.

  2. When the Screen Recording prompt appears, click Open System Settings:

    In Screen & System Audio Recording, enable Admin By Request:

That completes the requirements for enabling both the Endpoint Privilege Management and Secure Remote Access components of Admin By Request.

NOTE

Secure Remote Access (SRA) prompts on macOS are enrollment-driven. A Mac that is not enrolled in SRA behaves as EPM-only and does not show SRA-specific prompts.

For enrollment behavior details, see Product Enrollment.

Upgrading Admin By Request

You can manually upgrade any client immediately by simply installing the latest version, although upgrading endpoint client software occurs automatically 4 - 8 weeks after versions are released.

Deploying new releases

Admin By Request software updates are deployed using our Auto-Update process. However, when we release a new version we do not deploy it right away to all customers via auto-update. This is simply to mitigate any unforeseen issues.

Our rule-of-thumb for a new release is to activate auto-update within 4 - 8 weeks of release, but this is subject to change, depending on feedback and any potential issues that might arise.

Contact us if you wish to receive the latest version right now. You can also raise a support ticket requesting the latest update.

NOTE

If your Macs are not auto-updating to the latest version of Admin By Request, check the currently installed version on your endpoints. There was an auto-update issue with macOS version 3.2.1 - any Macs running that version of ABR will need to be manually updated.

The problem has been fixed in later versions of Admin By Request for Mac.

For more information

Refer to Synchronizing Clients with the Portal for a description of how endpoint clients communicate with the portal inventory.

Refer to Release Notes (macOS) for details on what is covered in each new release.

Uninstalling Admin By Request

IMPORTANT

If managing macOS endpoints using an MDM (e.g Intune, Jamf, Workspace ONE etc.), a post-uninstall script might be needed to revert at least one user account to admin permissions on each affected endpoint after completing the uninstall steps below.

This will be required only if all accounts have been downgraded to standard users. Check your Mac Settings in the portal (Lockdown > Admin Rights). If setting Revoke admin rights is On and there are no excluded accounts, then all accounts on each managed endpoint will have been downgraded.

Once Admin By Request is removed, the post-uninstall script needs to promote at least one account to admin permissions. Refer to (external) page Script to revoke or grant admin rights to standard users in macOS for an example.

The following procedures describe three ways to uninstall Admin By Request on a Mac:

These procedures are not sequential - pick one or a combination of all three, depending on your requirements.

  1. .

    The first few steps in this procedure require access to the portal.

    1. In the Admin By Request portal, navigate to the Inventory  page and identify the device on which to perform the uninstall.

    2. Locate the device in the inventory list - in the PIN column, click PIN for that device (columns can be switched around - the PIN column in your portal might not be the right-most column):

    3. Click tab UNINSTALL PIN and then click button Generate PIN:

      Note that clicking UNINSTALL PIN also displays a list of previous uninstall events on this computer (below the Uninstall Pin Code  window):

    4. Copy the PIN.

    5. Back on the device on which you want to uninstall Admin By Request, go to the About  panel (i.e. select the Admin By Request icon from the top menu bar and click About Admin By Request).

    6. In the Uninstall  window, select Uninstall from the left button group, enter the PIN copied from the Portal, and click Uninstall:

  2. In this example, Remove ABR  is the script and Remove ABR TEST  is the policy.

    1. Create a script in Jamf.
      Go to Settings > Computer Management > Scripts and click New Script.

    2. Enter a name for the script and open it:

    3. For Mode, select Shell/Bash, and enter /Library/adminbyrequest/uninstall:

    4. Click Save to save the script.

      The next step is to create a policy for deployment of the uninstall script.

    5. Enter a display name for the policy and choose an appropriate trigger for your deployment:

    6. Open Scripts, and click the + symbol to add:

    7. Add your uninstall script and click Save.

    8. Scope deployment of the script to the correct devices:

  3. .

    Uninstallation using sudo is straightforward for an admin user and simply requires executing an uninstall program once sudo is authorized.

    NOTE

    The program cannot be run by a standard user during an Admin By Request administrator session. You need to log in as an admin user and also check/modify certain Mac settings in the portal.

    1. Login to the portal and go to Settings > Workstation Settings > Mac Settings.

    2. Select Lockdown in the vertical menu at left and check the Excluded accounts list.

    3. If your admin account is in the Excluded accounts list, continue with the next step. If your account is not in the list, add it and click Save. This must be an account with administrator privileges.

    4. On the Mac(s) to be uninstalled, log in with an account in the list. If you are already logged in, log out and log back in again.

    5. Run the following program on the Macs to be uninstalled:

      Copy 
      sudo /Library/adminbyrequest/uninstall

User rights after installation

When a user logs on, the account is downgraded from Administrator to Standard User unless:

  • You have turned off Revoke Admins Rights in the portal settings (EPM > Settings > Mac Settings > Lockdown > ADMIN RIGHTS).

  • Also under Revoke Admins Rights, the user is in the list of Excluded accounts.

  • The computer is domain-joined and the user is a domain administrator.

Please refer to Supplementary Technical Information for more information.

Tamper Prevention

When a user initiates an administrator session, the user’s role is not actually changed from user to admin. The user is granted all administrator rights, except the right to add, modify or delete user accounts. Therefore, there is no case where the user can create a new account or change their own role and become a permanent administrator.

The user also cannot uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored straight away and the attempted activity is logged.

Mac Performance after Installation

When users are not using Admin By Request, it does not consume resources, except for a brief daily inventory and settings check.

Logging

Client activity and errors are logged in file /var/log/adminbyrequest.log.