denisenepraunig / macOS-enterprise-privileges

For Mac users in an Enterprise environment, this app gives the User control over administration of their machine by elevating their level of access to Administrator privileges on macOS. Users can set the time frame using Preferences to perform specific tasks such as install or remove an application.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Privileges.app

Description

Privileges.app for macOS is designed to allow users to work as a standard user for day-to-day use, by providing a quick and easy way to get administrator rights when needed. When you do need admin rights, you can get them by clicking on the Privileges icon in your Dock.

We believe all users, including all developers, can benefit from using Privileges.app. Working as a standard user instead of an administrator adds another layer of security to your Mac and is considered a security best practice. Privileges.app helps enable users to act as administrators of the system only when required.

Requirements

Privileges supports the following macOS versions:

  • macOS 10.12.x
  • macOS 10.13.x
  • macOS 10.14.x
  • macOS 10.15.x
  • macOS 11.0.x

Installation

  1. Log into your Mac using an account with admin privileges

  2. Download Privileges.app.

  3. Copy Privileges.app to to the Applications folder on your Mac.




  1. Launch Privileges.app and click the Remove Privileges button.

  1. Install the helper tool when prompted.

The logged-in account should now be a standard user account.

Note: To use all of Privileges.app's functions, we recommend adding Privileges.app to the dock.

Using Privileges.app

If you are a standard user and want admin rights, verify that Privileges.app is installed then use the following procedure:

  1. Launch Privileges.app
  2. Click the Request Privileges button.
  3. The Privileges dock icon should change to look like a yellow unlocked padlock.
  4. A Privileges have been changed successfully message should appear.

5. The logged-in account should now have admin rights.

If you are a admin user and want to remove admin rights, verify that Privileges.app is installed then use the following procedure:

  1. Launch Privileges.app.
  2. Click the Remove Privileges button.
  3. The Privileges dock icon should change to look like a green locked padlock.
  4. A Privileges have been changed successfully message should appear.

5. The logged-in account should now be a standard user account.

Helper Tools

The following helper tools are installed to allow Privileges.app the necessary access rights to grant or remove admin rights:

/Library/PrivilegedHelperTools/corp.sap.privileges.helper



/Library/LaunchDaemons/corp.sap.privileges.helper.plist



For more information on privilege elevation using a privileged helper app and LaunchDaemon, please see the link below:

https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html

Frequently Asked Questions

Why does the icon for Privileges.app change colors in the Dock?

This is by design. The icon is green and displays a locked padlock icon when you are a standard user.


Dock icon for macOS Catalina and earlier:


Dock icon for macOS Big Sur:


The icon is yellow and displays an unlocked padlock icon when you are an administrator.


Dock icon for macOS Catalina and earlier:


Dock icon for macOS Big Sur:


By default, is there a time limit on the admin rights granted by Privileges.app?

No. Admin rights are granted until some process (like running Privileges.app again) takes them away.

Can I set Privileges.app to give me administrator rights for a defined amount of time?

Yes. You can use the Toggle Privileges option on the dock icon to get admin rights for a set amount of time (the default amount is 20 minutes.)





To set the amount of time used by the Toggle Privileges option, use the following procedure:

  1. Launch Privileges.app
  2. Click on the Privileges menu and select Preferences
  3. Select the desired amount of time from the available options.

What actions do the Lock Screen and Login Window toggle options perform?

The Lock Screen toggle option locks your screen.



The Login Window toggle option returns you to the Login Window without logging you out.



How do I use Privileges.app in a script or from the command line?

Privileges.app supports command line use. To use the PrivilegesCLI command line tool, run /Applications/Privileges.app/Contents/Resources/PrivilegesCLI followed by the option you want to use.

The PrivilegesCLI command line tool currently supports the following options:

  • /Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add : Adds the logged-in user to the admin group.

  • /Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove : Removes the logged-in user from the admin group.

  • /Applications/Privileges.app/Contents/Resources/PrivilegesCLI --status : Displays the current user's privileges.

For assistance, please run the following command to display all available options:

/Applications/Privileges.app/Contents/Resources/PrivilegesCLI

How do I access logs for Privileges.app?

Privileges.app uses the system log for logging. To see all logs for Privileges.app in the Console app, you can filter for the corp.sap.privileges.helper process.

To see only the logging associated with changing admin rights in the Console app, you can filter for log messages containing SAPCorp.

To access the same logs from the command line, the log command can be used. To see all logs for Privileges.app using the log command, the following command can be used:

log show --style syslog --predicate 'process == "corp.sap.privileges.helper"'

To see only the logging associated with changing admin rights, the following command can be used:

log show --style syslog --predicate 'process == "corp.sap.privileges.helper" && eventMessage CONTAINS "SAPCorp"'

How do I uninstall Privileges.app?

  1. Ensure that your user account has admin rights. If needed, launch Privileges.app one final time to make sure you have them.
  2. Remove the following files:
  • /Applications/Privileges.app

  • /Library/PrivilegedHelperTools/corp.sap.privileges.helper

  • /Library/LaunchDaemons/corp.sap.privileges.helper.plist

Application Management

As of Privileges 1.5.0, it is possible to manage settings for Privileges.app or the PrivilegesCLI command line tool using a macOS configuration profile. For more details, please click here.

Support

This project is 'as-is' with no support, no changes being made. You are welcome to make changes to improve it but we are not available for questions or support of any kind.

Security

Found a security-related issue or vulnerability and want to notify us? Please contact us at privileges-security@sap.com

License

Copyright (c) 2020 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, Version 2.0 except as noted in the LICENSE file.

SUBCOMPONENTS

This project includes the following Apple EvenBetterAuthorizationSample sample code, which is subject to separate license terms. Your use of the code included in this project is subject to the separate license terms applicable to the Apple sample license code.

For more details, please see the the LICENSE file.

About

For Mac users in an Enterprise environment, this app gives the User control over administration of their machine by elevating their level of access to Administrator privileges on macOS. Users can set the time frame using Preferences to perform specific tasks such as install or remove an application.

License:Apache License 2.0


Languages

Language:Objective-C 89.9%Language:Rich Text Format 10.1%