I need to install a new antivirus app to our Mac population. Many have admin rights, but not everyone. I’m in a highly distributed organization where I don’t have much control over, or detailed knowledge of, the endpoints.
I’ve got a couple of challenges that I am looking for some creative solutions to resolve.
I can install the AV app as easily any other, that’s pretty simple. What I can’t do is approve KEXT or full disk access. I have to rely on end users to approve these after a reboot. It’s not elegant, but it’ll work. But, what if the user has no admin rights? They can’t approve the extension or disk access. If this happens, the user will have no functioning antivirus application and they’ll continue to get prompts to approve things they don’t have permissions to install.
So what I want to do is run this only if the end user is an admin. The ‘Users’ tab in the ‘Take Action’ dialog in the BigFix console provides this ability on Windows endpoints, but it doesn’t work for Macs.
My thought here is to run the installer as the currently logged in user, if they don’t have admin rights the installer will fail right away and I can have local support deal with this installation another way.
I can’t get override wait; runas=currentuser, or runas={name of current user as string}, to work. The fixlet will complete, but the .pkg is never run.
I’m thinking that the best I can do is to copy the installer.pkg to the desktop of the currently logged in user and prompt them to install it.
Any suggestions for running as the currently logged in user or with automating the KEXT approvals would be very much appreciated.
b