The vulnerability described involves the deployment of applications on macOS using Microsoft Intune or Company Portal. When these applications are installed through Intune/Company Portal, they are owned by the root user, leading to administrative permission prompts whenever an application is launched and requires a helper tool installation. This behavior not only disrupts user experience but also poses security risks due to potential unauthorized access if permissions are granted without proper scrutiny. The affected workflow involves macOS applications managed through Intune or Company Portal, particularly those requiring helper tools for functionality. To mitigate the issue, changing the application ownership from root to a regular user is recommended; however, this must be balanced with maintaining secure update mechanisms. Since disabling automatic updates is not ideal due to security and functionality needs, alternative solutions like scripting post-installation configurations are suggested.
- Microsoft Intune
- Company Portal on macOS
- Change application ownership from root to user: Use command `chown -R "$(stat -f '%Su' /dev/console)":staff /Applications/$AppName.app` where $AppName is the name of your app.
- Configure post-installation scripts for automatic updates that handle helper tool installations without prompting users.
- Consider implementing a custom script or policy in Intune to manage application ownership and update processes securely.
This issue impacts macOS homelab environments where applications are managed through Intune/Company Portal, affecting user experience and security posture. Specifically, the `/Applications/$AppName.app` directory and related configurations need attention.