When a new application executes, it is executed by another process, or parent process. In most cases on macOS, the parent process will
be launchd. However, sometimes applications like binaries and bundles are executed by other applications. For example, binaries like
curl can be executed from Bash, and will be created as a child of the Terminal process. However, curl can also be used by applications.
The Parent Process matching criteria allows you to the target applications based on their parent process, so you can apply different rules
and actions depending on where the application is being executed from. In the example above, you can use Parent Process matching to
allow curl to be used by an authorized application, but still block users from executing it directly in the Terminal.
Parent Processes are defined as an Application Group, so you can identify multiple parents without having to create multiple definitions.
This also means the parent process can be defined as any type of application (binary, bundle, system preference, or package) using any
of the relevant matching criteria for each application.
This matching criteria includes the following matching options:
l
Parent Process Group (dropdown menu of all Application Groups existing in the configuration)
This definition can be used with the following application types:
l
Binaries
l
Bundles
l
Sudo Commands
l
Scripts
Publisher Matches
This option can be used to check for the existence of a valid publisher. If you have browsed for an application, then the certificate subject
name will automatically be retrieved, if the application has been signed. By default, a substring match is attempted (Contains).
Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a Regular Expression. The available
operators are identical to the File or Folder Name definition.
Some applications are digitally signed with a certificate, giving a guarantee the application is genuine and from a specific vendor. The
certificate also ensures the application has not been tampered with by an unauthorized source. The vendor who owns the certificate can
be identified from certain properties of the certificate, which are referred to as Authorities. A certificate typically contains several
Authorities linked together in a chain of trust.
To check if an application has been digitally signed and what the certificate Authorities are, use the following command example to check
the certificate of the iTunes.app application bundle:
Codesign -dvvv /Applications/iTunes.app/
If the application has a certificate, there will be one or more Authorities listed in the output:
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
In the output, the first Authority listed is the authority most specific to the application. In this example, you can see Apple uses the
certificate Authority Software Signing to digitally sign iTunes.app.
With the Publisher matching criteria, you can target applications based on the publisher information contained in its certificate. This
matching criteria can also be used in combination with other matching criteria, as a way of ensuring the application is a genuine
application from the vendor.
SALES: www.beyondtrust.com/contact
SUPPORT: www.beyondtrust.com/support
DOCUMENTATION: www.beyondtrust.com/docs
48
©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC: 6/28/2024
ENDPOINT PRIVILEGE MANAGEMENT FOR MAC
24.4 ADMINISTRATION GUIDE