Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

Privilege Elevation and Delegation Management (PEDM) (macOS)

Last updated

In this article, you will learn everything you need to know about the Privilege Elevation and Delegation Management product. Privilege Elevation and Delegation Management allows you to easily elevate user rights or file executions, featuring a lightweight and stunning interface that puts you in complete control over the user’s elevated session. Approve or deny from the HEIMDAL Dashboard or on the go, right from your mobile device. You can keep track of sessions, block elevation for system files, live-cancel user admin rights, and set escalation periods.

1. Description
2. How does Privilege Elevation and Delegation Management work?
3. HEIMDAL Agent - Privilege Elevation and Delegation Management
4. Privilege Elevation and Delegation Management view
5. Privilege Elevation and Delegation Management settings

DESCRIPTION

Privilege Elevation and Delegation Management is a PEDM tool that can be used to give users the ability to install software they need for a period of time you select, using the Administrator Session or the Run with Admin Privileges option for single file elevation. Rights granted can be revoked at any time, and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over his/her machine by sending a request to the HEIMDAL Dashboard Administrator, who can deny or accept his/her request. The length of the session is limited, and all his/her actions are logged into the HEIMDAL Dashboard. 

HOW DOES PRIVILEGE ELEVATION AND DELEGATION  ACCESS MANAGEMENT WORK?

On macOS, Privilege Elevation and Delegation Management is a product under the HEIMDAL Agent that manages the user permissions on a device. Privilege Elevation and Delegation Management runs under the local SYSTEM user and can be used in 2 ways: Run with Admin Privilege (single-file elevation) or Administrator Session (Administrator rights).  

A. Run with Admin Privilege

The Run with Admin Privilege feature allows the user to right-click an executable file (.pkg, .dmg, .zip, and .app) and run it with Administrator permissions. run with Admin Privilege.pngIf the Require reason option is enabled in the Group Policy, then the pop-up below will appear to add details for the elevation request (more than 2 characters should be added to be able to submit the elevation request reason). This step is skipped if Require reason is disabled.

require_reason.JPG
After clicking Elevate, depending on the Group Policy configuration, a request can be sent to the server to ask permission from the HEIMDAL Dashboard Administrator (if Approval via Dashboard is selected in the GP), and the left popup below will appear, or the elevation will be automatically granted (if Auto-mode is selected in the GP). After clicking Start Now, the file will be elevated. 
PEDM_RWAP.PNG

IMPORTANT

An elevation is granted in a 5-minute interval after being approved by the HEIMDAL Dashboard Administrator.

B. Administrator Session

The Administrator Session feature allows the user who is requesting elevation to get elevated for a specific number of minutes to run applications/processes with Administrator rights. When an Administrator Session elevation is started, the user can use their own credentials (username and password) to run processes/applications. To run a process/application with Administrator rights, you need to right-click the executable file and click Run as Administrator (just like you would if your user were already an Administrator). Elevations can be requested from the HEIMDAL Agent by pressing the Elevate button. 
If the Require reason option is enabled in the Group Policy, then the pop-up below will appear to add details for the elevation request (more than 30 characters should be added to be able to submit the elevation request reason). This step is skipped if Require reason is disabled.
require_reason.JPG
After clicking Elevate, depending on the Group Policy configuration, a request can be sent to the server, to ask permission from the HEIMDAL Dashboard Administrator (if Approval via Dashboard is selected in the GP) and the left popup below will appear or the elevation will be automatically granted (if Auto-mode is selected in the GP) and the right popup below will appear:
elevated.PNG elevation_request.PNG

IMPORTANT

An elevation is granted in a 5-minute interval after being approved by the HEIMDAL Dashboard Administrator or in less than a minute if Realtime communication is enabled on the Group Policy that is applying to the endpoint.
On macOS, Privilege Elevation and Delegation Management is supported on devices that are NOT domain-joined and can elevate the Standard user to Administrator permissions for a specific amount of time.

HEIMDAL AGENT - PRIVILEGE ELEVATION AND DELEGATION MANAGEMENT

On the HEIMDAL Agent's home page view, you can see the current status of the Agent and the modules that are enabled for your computer. To access the Privilege Elevation and Delegation Management module, you can click on the Privileges & App Control icon or use the left-side menu. 

pedm.PNG
The Privilege Elevation and Delegation Management module displays information about the Total Elevations. The data that is logged in this view includes Username, Reason, Request date, and Action and Duration.
pedm2.PNG
Pressing the Elevate button will elevate the user or will display a Reason for elevation pop-up to be sent to the HEIMDAL Dashboard.

PRIVILEGE ELEVATION AND DELEGATION MANAGEMENT view

The Privileges & App Control - Privilege Elevation and Delegation Management view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the elevation requests, the processes that are running during the elevations, and the Zero-Trust processes that are executed in your environment. At the top, you see a statistic regarding the number of Pending Requests and the number of used Admin Rights.

PAM_intro.PNG

The collected information is placed in the following views: Pending ApprovalsHistoryMost Escalated ProcessMost Escalating HostnameCompliance, and Zero-Trust Execution Protection.

  • Pending Approvals
    This view displays a table with the pending elevation requests and the following details: Hostname, Username, Reason given, Request Time, Type, Application, and Status. If the Status is Requested and written in red, this means the endpoint is running a 3rd Party Application that has a vulnerability with a CVSS score of 7 or higher. 
    PEDM main.png
    Clicking on the process listed under the Application column, you will get additional information regarding the elevated process: Full Path, Publisher, Version, and MD5.
    6.png
    When you select an elevation request, you have the option to send a message to the user by enabling the Administrator message tickbox and filling in your message.  approval_message.PNG
  • History
    This view displays a table with the elevated/de-elevated requests and the following details: Hostname, Username, Start Time, End Time, Reason Given, Action, Executed Process(es), Handled By;

    Process Details will provide all the additional information related to a process that has been executed via PEDM. You can access this view just by pressing on one of the processes listed in the Executed Process column.
    7.png
  • Most Executed Processes
    This view displays a table with the number of executed processes (during the elevated session) and the following details: Process Name, Number of Executions, Hostname, and Username
    most_escalated_processes.PNG
  • Most Escalating Hostname
    This view displays a table with the number of escalating hostnames and the following details: Hostname, Username, and Total Number of Elevations.
    most_escalated_hostnames.PNG
  • Compliance
    This view displays a table with the compliant endpoints and the following details: Hostname, Active User, Domain Name, Local Groups, AD Groups, and Admin rights (Y/N). The Local Group field populates if the active user is found in any of the local groups or AD Groups. If it is found, it is marked as Admin (Yes). 
    compliance.PNG

The tables in each view have a 60-second refresh rate.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
 

PRIVILEGE ELEVATION AND DELEGATION MANAGEMENT settings

The Privilege Elevation and Delegation Management module will allow you to give users the ability to install software they need for a period you select, using the Administrator Session or the Run with Admin Privileges option for single-file elevation. Rights granted can be revoked at any time, and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over their machine by sending a request to the Heimdal Dashboard System Administrator, who can deny or accept their request.
settings.PNGPrivilege Elevation and Delegation Management - turn ON/OFF the Privilege Elevation and Delegation Management module.
De-elevate and block elevation for users with risk of infections - automatically removes the Administrator privileges and blocks elevation requests for a user if there were any malware detections found on the endpoint by the Heimdal Agent's Next-Gen Antivirus (statuses: None, QuarantinePending, ExcludePending, RepairPending, DeletePending, ErrorRepair, ErrorDelete, ErrorQuarantine) or VectorN detections in the past 7 days.

Run as Administrator

Allow run as administrator - turn ON/OFF the single-file elevation request (Run with AdminPrivilege) feature;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation.
Auto-mode - all single-file elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> History filter);
Approval via Dashboard - all single-file elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes).

pending_approvals.PNG
Administrator Session

Allow administrator session - turn ON/OFF the full administrator elevation request feature. Note that some changes cannot be committed during an Administrator Elevation, although the user has Administrator rights.
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation.
Auto-mode - all Administrator Session elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> History filter).
Approval via Dashboard - all Administrator Session elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privilege Elevation and Delegation Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes).pending_approvals.PNGSESSION LENGTH (2 MIN -24 H) - allows you to set the interval for the elevation session.

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.