Of course! We currently utilize the excellent Privileges app (https://github.com/SAP/macOS-enterprise-privileges) and we have some custom code built for creating and maintaining local access groups on the Mac which prevent unwanted elevation. We also have some custom code and a daemon built out to automatically demote users so we they don't indefinitely get admin access.
We wanted to find a tool that could provide the same functionality as above with the addition of an approval process and differing levels of access depending on context while also provide platform parity across our windows fleet.
In addition to doing the same things as above, we tested the following functionality to make sure ABR met our needs:
- Simple installer with a pkg deployable in Jamf
- The new ABR client introduced Azure integration with Jamf Connect (which we also run) so we can could determine the user's group membership for access.
- Sub settings allowed us to use azure group membership for different levels of access (approval being required, time of elevation, etc.)
- Approval mechanism is quick and allows the user to elevate later if they aren't still at the Mac when it got approved.
The few hiccups in our testing were around the new 4.0 client not connecting to Azure AD properly. We had to work with their development team to get some changes made to the client but I assume that would be ironed out once the new client matures a little. We also were not able to test any branding changes even though we made branding changes in the portal. This could be because we were running a trial, but branding wasn't that important to us anyway.
