Vendor-provided Overview
Thycotic Privilege Manager is an endpoint least privilege and application control solution for Windows and Macs, capable of supporting enterprises and fast-growing organizations at scale.
The two major components are Local Security and Application Control.
Using Privilege Manager, administrators can automatically discover local administrator privileges and enforce the principle of least privilege through policy-driven actions.
Those policy-driven actions include:
- blocking, elevating, monitoring, allowing
- application quarantine, sandbox, and isolation
- application privilege elevation, and
- endpoint monitoring
macOS Agent Installation
Agent installation is well documented and straight forward, however “it will take 15-30 minutes for newly installed agents to register in Privilege Manager.” (As of this writing, the vendor’s link to Terminal Commands to speed up the process appears to be broken.)
I found the new MacOS Agent Utility Preference Pane provided users too much information, so I disable it as part of the Jamf Pro policy to install / upgrade via Files and Processes > Execute Command.
/bin/mkdir -pv /Library/PreferencePanesDisabled ; /bin/mv -v /Library/PreferencePanes/ACSAgent.prefPane /Library/PreferencePanesDisabled/ACSAgent.prefPane
Also, the suggested How to Recover an Unresponsive macOS Endpoint procedure doesn’t lend itself to automation; we’re using Thycotic Privilege Manager Agent Kickstart.sh instead.
Configuration Profiles
Approved Kernel Extensions
Approved Team ID
- Display Name:
Thycotic Software
- Team ID:
UJDHBB2D6Q
Privacy Preferences Policy Control
App Access
- Identifier:
com.thycotic.privilegemanagergui
- Code Requirement:
anchor apple generic and identifier "com.thycotic.privilegemanagergui" and (certificate leaf[field.1.2.840.113635.100.6.1.9] / exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = UJDHBB2D6Q)
- App or Service
- Accessibility: Allow
- AppleEvents: Allow
- Receiver Identifier:
com.apple.systemevents
- Receiver Code Requirement:
identifier "com.apple.systemevents" and anchor apple
- Receiver Identifier:
- SystemPolicyAllFiles: Allow
Jamf Pro Scripts & Extension Attributes
Queries the macOS Thycotic Privilege Manager Agent for various settings, saves the results to the user’s Desktop as an HTML file, which is then opened in Safari.
If the testAgentConnection
function results in a failure, the kickstartAgent
function executes settmsserver -serverUri ${thycoticURL} -installCode ${agentInstallCode}
in an attempt to resolve the connection failure.
Scripts
Thycotic Privilege Manager macOS Agent Information
- While troubleshooting new installations of the macOS Thycotic Privilege Manager agent, I found myself frequently having to leverage
agentUtil.sh
asroot
to see exactly which policies had been applied before realizing I had neglected to add the new test machine to my testing Resource group. - The HTML file includes hyperlinks to the policies in the Thycotic Privilege Manager console.
Thycotic Privilege Manager macOS Agent Diagnostics
- More robust version of Thycotic Privilege Manager macOS Agent Information
- Leverages
settmsserver -serverUri ${thycoticURL} -installCode ${agentInstallCode}
to kickstart the agent - The HTML file includes hyperlinks to the policies in the Thycotic Privilege Manager console.
Thycotic Privilege Manager Agent Kickstart
- Simplified version of Thycotic Privilege Manager macOS Agent Diagnostics
- No HTML output
- Used as a remediation for Thycotic Health Check Extension Attribute
Extension Attributes
Thycotic Privilege Manager Machine ID
- Returns the Thycotic Privilege Manager Machine ID GUID
Thycotic Privilege Manager Health Check
- Validates access to
${thycoticURL}PrivilegeManager/#
- Validates access to
${thycoticURL}Agent/AgentRegistration4.svc
- Attempts to
updateclientitems
Please see GitHub for customization instructions.
Thycotic Privilege Manager Agent Kickstart Jamf Pro Policy
- Add the Thycotic Privilege Manager Agent Kickstart script
- Add the Thycotic Privilege Manager Health Check Extension Attribute
- Create the Thycotic Health Check Failure Smart Group:
- Criteria: Thycotic Health Check
- Operator: like
- Value: FAIL
- Create the Thycotic Privilege Manager Agent Kickstart policy
- General
- Display Name: Thycotic Privilege Manager Agent Kickstart
- Trigger: Recurring Check-in
- Execution Frequency: Ongoing
- Scripts
- Thycotic Management Agent Kickstart
- Number of Kickstart Checks
- Thycotic Agent Install Code
- Thycotic Management Agent Kickstart
- Scope
- Thycotic Health Check Failure
- General