MAC OS full admin rights and software removal in a corp environment

Question

We have MAC OS for our developers (running with root). We also deploy an DLP endpoint agent. Now what happens, in some cases they just sudo and uninstall the agent because it slows down the machine. What options do we have to prevent them doing that ? I guess technically there's probably nothing that can be done, right ?

Answer 1

I know this is not the answer your want, but from a security perspective, the right answer is removing admin privileges and granting them more specific permissions if needed. Giving your users full admin rights are the best way to a full ransomware outbreak and other fun stuff you don't want to live through.

Unfortunately, you're probably living in the real world with bosses and other fun stuff, who claims local admin rights for users are just fine. In that case some DLP agents can be configured to require a password(seperate from the machine) to start the uninstall process. If the DLP tool you're using doesn't provide this configuration option you could install a monitoring tool(or cron job) on the endpoints that continuously checks for a running(or just installed) DLP service and if the service stops working, sends you an email or create an alert in your monitoring or SIEM tool. Depending on your infrastructure there are many ways to do this but generally you should try to avoid false positives. One way is to only alert whenever a DLP agent has not responded for a few days(if your company is okay with that risk) and then gather the information to a monthly report to monitor the development.

Another way to fix the issue would be with people skills. Assuming you've already tried to talk with the devs about not uninstalling your tools, work with HR or C-level to communicate this message and you'll see how easy it is to change people's minds when their job security is on the line ;-)