Should IT administrators allow users to run as local macOS administrators?

In 2022, security is a top priority for every organization, including businesses and schools using Macs. While very secure, Macs are still vulnerable to threats, including phishing attacks and malware. Security is no longer a technology concern. It’s now a business concern. Most of the security discussion on macOS revolves around software updates, endpoint security software, and other high-level topics.

What doesn’t get brought up enough is user privileges. Every CISO should ask their IT teams if end-users are running as local administrators on their Macs. If they are, they should ask the team if it’s necessary compared to the critical risks elevated privileges can create.

Here’s the bottom line: There’s no need for Mac users to have administrative powers 24/7.

From a macOS IT perspective, getting this part of your deployment and ongoing management correct can be a massive part of keeping your Macs secure. Especially in a remote and hybrid work environment, IT administrators might not have control over the local network like in a traditional office setting. The new model of working means that security best practices must evolve. Instead of focusing on the corporate network’s security, the endpoint (aka the device) is now essential to your security focus.

You might think, “well, of course, my users need administrator level access on their local machine. I’m not there to help them if they run into a situation where they need an administrator account.” You may be right, but this mindset also creates potential security consequences.

Administrators can create and manage other user accounts, install software, change system settings, disable critical security features, access all files on the Mac and much more. Ultimately, a local administrator can change any setting, install anything, and do just about whatever they want to.

Based on that, admin accounts are the pie-in-the-sky targets for hackers because once a Mac is compromised while the user is running as admin, the malware (and the hacker) will inherit the same ability to perform all actions available to an admin. It’s equivalent to carrying your entire savings account in cash in your pocket if you only need to spend $10. You’re simply asking for trouble.

As you can see, there’s a lot of responsibility when choosing to run as a user with administrative privileges.

The immediate reaction to understanding this reality is to simply force users to use a standard account with limited access to the system. Therefore, running as a Standard User helps keep your Mac safe from severe damages if infected by malware. Additionally, fewer permissions to the user ensure less potential for undesired changes and misconfigurations.

In a perfect world, users should always stay running as the least privileged user option on the device. The user may need to install an application on their Mac that requires administrator privileges or make file system changes, but those needs are few and far between.

Let’s be honest, how many new apps are you manually installing monthly? Admin requirements are even more unnecessary in the business environment, considering apps and configurations are normally automatically deployed through an MDM solution, eliminating any need for manual actions by the end-user.

However, in specific cases, the user may have a justified need for admin-level privileges to address a potential issue, change permissions of applications, have better control over software updates and more. After in-depth research, Mosyle determined that the average Mac user needs administrator-level privileges for around five minutes per month. No, not per hour, not per day – PER MONTH.

And because of these exceptional five minutes per month, users are granted admin privileges permanently, creating a material security risk that is disproportional to the real business needs.

So how do you address this dilemma? How can you ensure users can have admin privileges only when they need them and for the period they actually need them?

In early 2022, Mosyle finally solved this problem. The company built a new “Admin On-Demand” solution that enables IT to allow their users to run as an administrator for a preset period and automatically revert to a Standard User.

With Admin On-Demand from Mosyle, users have full administrator access when they need it. Mosyle Admin On-Demand will automatically convert admin users into Standard Users and allow only authorized users to temporarily escalate their user privileges only when needed. During the escalation period, Mosyle’s Admin On-Demand will capture detailed system logs and automatically convert the user back to a standard level of security access at the end of the period.

With Admin On-Demand, IT admins can control the number of privilege escalations per day, the duration allowed, and require the user to justify the upgrade.

Mosyle’s Admin On-Demand gives IT teams the perfect balance between securing Macs while ensuring employees can experience full usability of their devices.

Admin On-Demand is available in Mosyle Fuse, an innovative solution that is revolutionizing the Apple enterprise management and security market. Mosyle Fuse combines the most complete Apple MDM on the market, sophisticated endpoint security tools, the only internet privacy and security solutions built for Apple devices, device level Single Sign-On and automated application management for macOS, iOS and iPadOS.

FTC: We use income earning auto affiliate links. more.

Check out 9to5Mac on YouTube for more Apple news:

Leave a Comment