How to set up Self Service device management for macOS

This document provides comprehensive guidance on Hexnode’s Self Service device management feature for macOS devices.

In scenarios where a user needs to perform tasks that require administrative privileges such as installing applications or modifying system files and settings on their device yet only has access to a standard account, managing such requirements can be challenging.

To address this challenge while maintaining control, Hexnode provides the Self Service device management feature. It allows users to temporarily elevate privileges and carry out necessary actions independently. Based on the configurations defined by the administrator in the portal, the user can perform permitted actions accordingly.

Deploy Self Service device management policy

To set the Self Service policy:

1. Log in to the Hexnode UEM.
2. Navigate to Policies > New Policy.
3. Provide a policy name and description.
4. Go to macOS > Configurations > Self Service.
5. Click on Configure. Then, check the boxes required.
   • Allow user to elevate standard account to administrator: When enabled, this allows users with standard accounts to temporarily gain administrator privileges. You can specify how long the elevated access lasts. For example, if set to 5 minutes, the user will automatically revert to standard access after that duration. This applies to all the standard accounts of the users.
   • Set a limit for the maximum number of times the user account can be elevated in a day: When enabled, this restricts how many times a user can elevate their account to administrator within a 24-hour period. You can define the maximum number of elevations per day. For example, if set to 5, the user can elevate their account up to 5 times in a day.
Note:


The maximum time period that can be set for a Self Service action ranges from 1 to 10 minutes. Additionally, the daily usage limit i.e., how many times this provision can be granted to a user per day—can be configured between 1 to 25 times.


6. Move to Policy Targets.
7. You can associate devices/device groups/users/user groups/domains with the policy. Then click OK.
8. Click Save.

What to do at the device end?

While the Self Service settings are configured by the administrator through policies in the Hexnode UEM portal, the elevation is initiated by the user from the device end using the Hexnode UEM app.

Once the policy is applied:

1. Open the Hexnode UEM app on the user device.
2. From the left side menu, select Self Service.



3. Click Elevate to access admin privileges.
4. Enter the password associated with the local account.



5. A Success notification will appear if the elevation is successful, showing a confirmation message and the duration of elevated access.



6. A failure notification will appear if the elevation has failed.



7. Admin privileges will be automatically revoked after the configured time.

FAQs

1. What indication is provided to users when the elevation option has reached its maximum limit for the day?

   When the maximum limit is reached, the Elevate button will appear greyed out in the Hexnode UEM app, indicating that no further elevation actions can be performed for that day.

2. Under what circumstances might a user encounter a “Failed” notification during an elevation attempt?

   A “Failed” notification may appear under the following conditions:

   • Incorrect Authentication Credentials: If the user enters the wrong password during the elevation process.
   • Elevation from an Admin Account: If an elevation attempt is made from an account that already has admin privileges, failed notification will be shown.
3. What is the configurable duration for Self Service on macOS device?

   The time period can be configured between 1 and 10 minutes.

4. What could be the reasons a user doesn’t see the Self Service tab in the Hexnode UEM app?

   It may be due to using an outdated version of the Hexnode UEM app. Ensure both are updated to the latest versions.