There is a KB for Homebrew that can help you with this. Then also note that your Dev user on Mac will have to be a member of the _developers Groups the local hidden group on Mac.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0018795

Hi @Jens Hansen my bad , I should have clarified. I took HomeBrew as an example. The method in KB needs a script to be distributed which is basically outside of EPM policy adjustments and needs involvement of other team(s) e.g. sysadmin. I am planning to have a workflows in place e.g.  based on this example I can have alignment with Sysadmin team . Any other similar app that needs a script that will be elevated using EPM » Step1. User reports issue ; Step2. EPM admin (Security Team) creates the script and updates policy ;  Step3. Sysadmins update MDM after quick QA testing ; Step 4. user KB updated . 
I am trying to gather inputs from other users on how they handle similar issues/requests as it can be overwhelming if multiple apps & users are affected at once

The steps that you mention are correct and the right way to accomplish this. You will find on the Mac side that a bit of End-user education is needed as the normal behavior has changed a bit.
Typically I would run a Pilot phase to ensure that we capture all these uses cases and softwares that we could run into issues with, before a mass deployment.
Then you will find a need for more Profiles for Meeting apps, Helpdesk tools etc. as a user under policy should not have access to change those System settings → Privacy & Security as they can remove access for other apps including security apps and change file and disk access. Typically you can find a mdm profiles from the vendors or having to create custom in JAMF and have them preloaded to the client.

Just in time Admin will work for Mac according to PM Cloud 24.7 Release Notes

a pretty sweet new feature coming.

​@Jens Hansen Just checking if you have any suggestion on discovery/monitoring mode. For developer use cases (who demand admin rights) , can we enable monitoring mode i.e. EPM will just capture the logs while users will remain as admins, no interference at all. After few weeks of monitoring we will demote the user to standard and enable different messages. (I see windows discovery policy does intercept c, as it has Yes/No message).  
This type of policy can be handy in case of troubleshooting as well . Give them temp admin rights and just capture the logs. I see there is log capture tool as well as JIT admin rights but it involves more efforts & time . It can be long term fix but looking for immediate workaround 

The High Flexibility workstyles for both Mac and Windows are designed to give an almost 1:1 Admin experience on Windows and Mac, though a with a few changes on Windows, and for Mac policy are needed. Note: developers on Mac will have a need to be a member of the _developers Groups or they can’t do debugging, Group membership can be done with JAMF or other MDM tool else it is manual.

Windows Discovery is a legacy template that was used for discovering what administrators did on Windows, it has not really been managed for the last few years, Discovery does not exist for Mac.

So High Flexibility your new discovery, ifwill show you what they use Admin rights for, and you will have accomplished the main goal of also removing admin rights.

Developers will always be the most complicated staff to get on-boarded, work with a good willing person from the Dev team to align expectation and requirements, and see if you can get them even lower than High Flex. likely my best advice.

Then PM Cloud 24.7 Release notes does state they will provide a JIT for Admin rights. Granting users temp Admin rights on the computers for both Windows and Mac for X amount of time, while still auditing what is done with this temp access.

Thank you for your prompt response!