Symptoms
We have set up a policy rule using the macOS platform and checking for a running process containing [some process name] -- for example, "Logi Options Daemon"
Looking at the macOS Activity Monitor application, the process name is correct "Logi Option Daemon":
When a user authenticates, the policy doesn't match the process name. The message is "At least one event attribute did not match" and you see not matched with Process Running contains Logi Options Daemon.
Solution
MacOS processes can have different display names on the Activity Monitor than what the system reports. Using the correct process name will make the policy detect the process. For example, adding a second process containing monitor rule can be used to validate the correct process name. In this case, adding a rule to check for process running contains LogiMgrDaemon will get hit.
How to identify the correct process name?
Open the process details from the Activity Monitor app and note the PID of the process.
Use the terminal to query what Beyond Identity Platform Authenticator is finding:
/Applications/Beyond\ Identity.app/Contents/Resources/osqueryi --json "SELECT name FROM processes WHERE pid = 1873"
The output will contain the process name that the system is using.
The last step is to change your policy rule to use that process name.
Comments
0 comments
Please sign in to leave a comment.