Skip to main content
Solved

EPM-Mac How to target user installed binary?

  • October 23, 2025
  • 3 replies
  • 73 views
raymondus
Forum|alt.badge.img+6

Hi Everyone,

 

I have the following use case:
How can i target the git command in the terminal?
The Git binary was installed by the user via Homebrew.

I’ve tried matching File / Folder Name criteria with git, and also using the absolute path /usr/local/Cellar/git/2.51.1/bin/git in the Application Groups, but it still didn’t work.

I tried matching it with parent process and even using the hash (SHA-256).

I tested sample commands like ls -la, as shown in the documentation website, and the ls -la were successfully captured.

The git command filtering is only work when i use a sudo command application type. i.e. if i type sudo git pull...

But the case i want is not using sudo.
Does EPM-M only process binary that are signed by Apple?

Because the git from homebrew is not signed. 

I’m using macOS 13 Ventura and PMC 25.6.580

 

Thanks

Best answer by celliott

You would need to add a controlled path to the defendpoint.plist. Once that path is added, then BeyondTrust can manage those binaries. Then you can target the specific binary outside of sudo.

The "S" in "IoT" stands for 'Security'

3 replies

tclowater
BeyondTrust Employee
  • tclowater
  • BeyondTrust Employee
  • 79 replies
  • October 29, 2025

Hi ​@raymondus,

 

The best recommendation I can think of would be to target any binary with command line argument containing git. If you’re getting stuck, I would recommending checking with support if they are able to narrow down what is occurring with execution vs implementation. 

 

The terminal items, along with controlling homebrew, can be a bit more challenging if the developers are allowed to install from any source (e.g. internet) vs an internal repository where approved applications are housed. 

J
Forum|alt.badge.img+4
  • Jens Hansen
  • Veteran
  • 162 replies
  • October 31, 2025

Hey Raymondus.

tclowater is spot on. use the KB0022392 from BT that is focused on the block for installs from HomeBrew. this can be used similar just for git.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0022392

Then it’s often easier to allow the once we know that are needed, so create a blanket block that will prevent all Git pull, then an Allow Rule above for those specifics you want to allow.

Kind regards
Jens

C
Forum|alt.badge.img
  • celliott
  • Apprentice
  • 2 replies
  • Answer
  • November 5, 2025

You would need to add a controlled path to the defendpoint.plist. Once that path is added, then BeyondTrust can manage those binaries. Then you can target the specific binary outside of sudo.


Badge Earners

  • BCA: Password Safe
    Nthabihas earned the badge BCA: Password Safe
  • BCA: Password Safe
    Anas DSShieldhas earned the badge BCA: Password Safe
  • BCA: AD Bridge
    mcencienzohas earned the badge BCA: AD Bridge
  • BCSE: Privileged Remote Access
    ptseculoniahas earned the badge BCSE: Privileged Remote Access
  • 1 Courses Completed - Privilege Remote Access
    Brauhas earned the badge 1 Courses Completed - Privilege Remote Access
Show all badges
Terms & ConditionsCookie settingsAccessibility statement