Menu Close

Deploying Thycotic Privilege Manager 10.8.19

Vendor-provided Overview

Thycotic Privilege Manager is an endpoint least privilege and application control solution for Windows and Macs, capable of supporting enterprises and fast-growing organizations at scale.

The two major components are Local Security and Application Control.

Using Privilege Manager, administrators can automatically discover local administrator privileges and enforce the principle of least privilege through policy-driven actions.

Those policy-driven actions include:

  • blocking, elevating, monitoring, allowing
  • application quarantine, sandbox, and isolation
  • application privilege elevation, and
  • endpoint monitoring

macOS Agent Installation

Agent installation is well documented and straight forward, however “it will take 15-30 minutes for newly installed agents to register in Privilege Manager.” (As of this writing, the vendor’s link to Terminal Commands to speed up the process appears to be broken.)

I found the new MacOS Agent Utility Preference Pane provided users too much information, so I disable it as part of the Jamf Pro policy to install / upgrade via Files and Processes > Execute Command.

/bin/mkdir -pv /Library/PreferencePanesDisabled ; /bin/mv -v /Library/PreferencePanes/ACSAgent.prefPane /Library/PreferencePanesDisabled/ACSAgent.prefPane

Also, the suggested How to Recover an Unresponsive macOS Endpoint procedure doesn’t lend itself to automation; we’re using Thycotic Privilege Manager Agent Kickstart.sh instead.

Configuration Profiles

Approved Kernel Extensions

Approved Team ID

  • Display Name: Thycotic Software
  • Team ID: UJDHBB2D6Q

Privacy Preferences Policy Control

App Access

  • Identifier: com.thycotic.privilegemanagergui
  • Code Requirement: anchor apple generic and identifier "com.thycotic.privilegemanagergui" and (certificate leaf[field.1.2.840.113635.100.6.1.9] / exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = UJDHBB2D6Q)
  • App or Service
    • Accessibility: Allow
    • AppleEvents: Allow
      • Receiver Identifier: com.apple.systemevents
      • Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple
    • SystemPolicyAllFiles: Allow

Jamf Pro Scripts & Extension Attributes

Queries the macOS Thycotic Privilege Manager Agent for various settings, saves the results to the user’s Desktop as an HTML file, which is then opened in Safari.

If the testAgentConnection function results in a failure, the kickstartAgent function executes settmsserver -serverUri ${thycoticURL} -installCode ${agentInstallCode} in an attempt to resolve the connection failure.

Scripts

Thycotic Privilege Manager macOS Agent Information

  • While troubleshooting new installations of the macOS Thycotic Privilege Manager agent, I found myself frequently having to leverage agentUtil.sh as root to see exactly which policies had been applied before realizing I had neglected to add the new test machine to my testing Resource group.
  • The HTML file includes hyperlinks to the policies in the Thycotic Privilege Manager console.

Thycotic Privilege Manager macOS Agent Diagnostics

  • More robust version of Thycotic Privilege Manager macOS Agent Information
  • Leverages settmsserver -serverUri ${thycoticURL} -installCode ${agentInstallCode} to kickstart the agent
  • The HTML file includes hyperlinks to the policies in the Thycotic Privilege Manager console.

Thycotic Privilege Manager Agent Kickstart

  • Simplified version of Thycotic Privilege Manager macOS Agent Diagnostics
  • No HTML output
  • Used as a remediation for Thycotic Health Check Extension Attribute

Extension Attributes

Thycotic Privilege Manager Machine ID

  • Returns the Thycotic Privilege Manager Machine ID GUID

Thycotic Privilege Manager Health Check

  • Validates access to ${thycoticURL}PrivilegeManager/#
  • Validates access to ${thycoticURL}Agent/AgentRegistration4.svc
  • Attempts to updateclientitems

Please see GitHub for customization instructions.

Thycotic Privilege Manager Agent Kickstart Jamf Pro Policy

  1. Add the Thycotic Privilege Manager Agent Kickstart script
  2. Add the Thycotic Privilege Manager Health Check Extension Attribute
  3. Create the Thycotic Health Check Failure Smart Group:
    • Criteria: Thycotic Health Check
    • Operator: like
    • Value: FAIL
  4. Create the Thycotic Privilege Manager Agent Kickstart policy
    • General
      • Display Name: Thycotic Privilege Manager Agent Kickstart
      • Trigger: Recurring Check-in
      • Execution Frequency: Ongoing
    • Scripts
      • Thycotic Management Agent Kickstart
        • Number of Kickstart Checks
        • Thycotic Agent Install Code
    • Scope
      • Thycotic Health Check Failure

Additional Reading

Posted in Extension Attributes, Jamf Pro, Scripts

Related Posts