Command Line Approval Message Action

The Command Line Approval Message action allows administrators to prompt command line users on macOS endpoints for an approval request. The action displays text in the command line interface and prompts the user to enter text.

This action is specifically designed to work with the IBM Security macOS sudo plugin and is only intended for commands that run under sudo based on the following use case:

  • the user runs sudo <command>
  • the user is prompted to supply a justification, which happens directly in the same terminal
  • the command is then run with elevation

To create the message action,

  1. Navigate to Admin | Actions.

  2. Click Create Action.

  3. For Platform, select macOS.

  4. For Type, select Command Line Approval Message.

  5. Enter a name and description.

  6. Click Create.

    alt

  7. Under Settings for:

    • Message, use the color tooling options and editor to add and customize your message prompt for the users.
    • Approval Type, from the drop-down select either
      • Default Execute Application Request Type or
      • Default Offline Execute Application Request Type.
  8. Click Save Changes.

Refer to Using the Command Line Action Editor for information on how to use the editor.

The Command Line Approval Message action is the preferred message action to elevate commands and scripts run under sudo requiring approval.

If there are networking issues, while a CLI approval is being used, the following error might be displayed in Terminal: Error occurred in policy engine. This is due to offline CLI approvals not being supported at this time.