macOS Production (PROD) Agent 3.5.8

1. Revoke Existing Local Admin Rights.
2. Preserved Users.
3. Adding Preserved Users Manually.
4. Adding Preserved Users via CSV.
5. Switch User Input.
6. Best Practices for adding Preserved Users.
7. When are Admin Rights restored?
8. Important macOS behavior.
9. Further improvements arriving with 3.5.8 PROD.

We are pleased to announce the availability of the new Production (PROD), Heimdal MAC 3.5.8 Agent, now ready for download in your Heimdal Dashboard -> Guide -> Download and Install tab. This version will also be rolled out gradually via our self-update mechanism in the coming weeks.

With the 3.5.8 PROD macOS build, Heimdal takes another firm step in delivering a truly unified, cross platform security experience. 

Our strategic cross OS product approach continues to ensure that customers benefit from the same powerful capabilities - regardless of environment - and this release brings the long established Windows PEDM functionality to macOS with the introduction of Revoke existing local admin rights. 

Designed for compliance, control and effortless security hardening, this new capability empowers organizations to eliminate unnecessary privileges on macOS devices with a single click. 

Paired with a clean, consistent UX across platforms, it enables IT teams to streamline privilege management, reduce risk exposure and enforce security policies seamlessly, enhancing productivity while maintaining the highest standards of protection.

 Revoke Existing Local Admin Rights

The newly implemented checkbox can be found in the Endpoint Settings ->  Mac OS GPs -> click on a GP -> Privilege Elevation and Delegation Management -> Additional settings area.

When Revoke Existing Local Admin Rights is enabled, the macOS agent automatically checks which users currently hold administrator privileges on the devices within the targeted Group Policy. 

It then enforces the rule by removing those accounts from the local admin group. If specific users or devices must be exempt from this enforcement, they can simply be added to the Preserved Users list, ensuring full control with minimal effort.

For each local admin account, Heimdal will:

• check whether the user or device is listed under Preserved Users.
• keep admin rights for users that match the preserved list.
• remove admin rights for users that do not match the preserved list.
• keep a local record of the revoked users, so the rights can be restored later if the policy changes.

This makes it possible to reduce the number of permanent local administrators on macOS devices while still allowing approved exceptions.

Preserved Users

The Preserved Users section acts as an “allowlist” for this capability, ensuring flexibility and control. Any user or device added here is automatically exempt from admin rights removal, based on how the entry is defined.

To streamline management, the section supports multiple operations, including:

• CSV import for bulk additions.
• Manual entry.
• Search for quick lookups into the Preserved Users list.
• Edit, meant to adjust existing records.
• Delete, for easy cleanup of the list.
• Pagination, for smoother navigation and performance when managing large datasets

Note: As Hostnames can change, leading to mismatches, the preservation of admin rights has to be performed on Serial Numbers, to ensure precise and secure device identification.

The Preserved Users list provides granular control over which macOS users retain local admin rights when the Revoke Existing Local Admin Rights feature is enabled.

This “allowlist” supports multiple exception types, enabling you to:

• preserve a specific user on a specific Mac device,
• preserve all users on a specific Mac, or
• preserve a username globally by leaving device identifiers empty.

The macOS agent evaluates three fields to determine whether a user should retain admin rights: Serial Number, Platform UUID (Universally Unique Identifier) and Username. 

These indicators work together to ensure precise, reliable matching.

Device matching is performed using the Serial Number of the hostname and the Platform UUID, both compared exactly but in a case insensitive manner. 

If either field is left blank, the “exclusion” functions as a wildcard, allowing flexible targeting.

The Username field is optional and also supports wildcard patterns (* and ?).

• If Username is empty, the rule applies at the device level - all users on the device are preserved.
• If Username is specified, the rule applies to that specific user only.

This matching system ensures accurate preservation while giving administrators full control over scope.

Adding Preserved Users Manually

You can add users or device “exclusions” directly from the dashboard:

1. Navigate to Endpoint Settings ->  Mac OS GPs -> click on a GP -> Privilege Elevation and Delegation Management tab -> Additional settings -> Revoke existing local admin rights (enabled).
2. Open the Preserved Users section.
3. Choose one or more identifiers: 
      o Serial Number (auto complete field) for a specific MacOS hostname.
      o Platform UUID for even more precise device targeting – autogenerated when “Switch user input” is disabled, based on the Serial Number and Username selection; free text, when “Switch user input” is enabled.
      o Username (auto complete field) for user level preservation.
4. Click Add to create the rule.

Adding Preserved Users via CSV

For bulk updates, the Heimdal dashboard supports CSV import:

1.    Go to Preserved Users.
2.    Click the Exclusions – .CSV file field and upload your file.
3.    Select Import.
4.    Confirm that all entries appear on the table.

A downloadable sample CSV is available directly in the interface to ensure proper formatting.

Switch User Input

If enabled, the Switch user input option modifies how user identifiers are entered during manual creation of preserved entries (the Serial Number, Username and Platform UUID fields become free text). 

It allows administrators to quickly adjust the user identification method before adding a new exception, improving flexibility during rule creation.

Best Practices for adding Preserved Users

For optimal control and minimal unintended broad exceptions:

• Use Serial Number + Platform UUID to preserve all users on a specific Mac hostname.
• Use Serial Number + Platform UUID + Username for a single user exception on a specific machine.
• Use Username only for broader, username based preservation across multiple devices (recommended only when intentional).

When uncertain, the most precise rule is to provide all three fields.

When are Admin Rights restored?

If a user previously had their local admin rights revoked (as a result of using the Revoke existing local admin rights functionality), Heimdal can automatically restore those rights under the following conditions:

• The PEDM module is disabled in the Group Policy.
• Revoke existing local admin rights is disabled.
• The user is added to the Preserved Users list.
• The device is added to the Preserved Users list at the device level.

The Heimdal macOS agent verifies that the user is successfully added back to the local admin group before removing that user from the restore tracking list.

Important macOS behavior

The feature observes several platform specific rules on macOS:

• Admin rights are governed entirely by membership in the local admin group.
• The current local group membership is treated as the single source of truth.
• System accounts (e.g.: root and internal accounts starting with _) are automatically skipped.
• A fully preserved device overrides revoke enforcement for that specific macOS machine.
• Local accounts that no longer exist are removed from tracking rather than being restored.

Further improvements arriving with 3.5.8 PROD

The 3.5.8 Prod release also delivers a range of stability enhancements and platform wide fixes. 

Notably, it includes major improvements to Next gen AV/ XProtect false positive handling, several minor issues in the DNS Security module as well as a fix for an issue where the Heimdal macOS Agent UI repeatedly popped up for each individual notification. 

Notifications are now displayed persistently within the Heimdal MAC Agent UI until dismissed, ensuring a far smoother and less disruptive user experience.