Privileges.app for macOS is designed to allow users to work as a standard user for day-to-day use, by providing a quick and easy way to get administrator rights when needed. When you do need admin rights, you can get them by clicking on the Privileges icon in your Dock.
We believe all users, including all developers, can benefit from using Privileges.app. Working as a standard user instead of an administrator adds another layer of security to your Mac and is considered a security best practice. Privileges.app helps enable users to act as administrators of the system only when required.
Privileges supports the following macOS versions:
- macOS 10.12.x
- macOS 10.13.x
- macOS 10.14.x
- macOS 10.15.x
- macOS 11.0.x
-
Log into your Mac using an account with admin privileges
-
Download Privileges.app.
-
Copy Privileges.app to to the Applications folder on your Mac.
- Launch Privileges.app and click the
Remove Privileges
button.
- Install the helper tool when prompted.
Note: To use all of Privileges.app's functions, we recommend adding Privileges.app to the dock.
If you are a standard user and want admin rights, verify that Privileges.app is installed then use the following procedure:
- Launch Privileges.app
- Click the
Request Privileges
button. - The Privileges dock icon should change to look like a yellow unlocked padlock.
- A Privileges have been changed successfully message should appear.
If you are a admin user and want to remove admin rights, verify that Privileges.app is installed then use the following procedure:
- Launch Privileges.app.
- Click the
Remove Privileges
button. - The Privileges dock icon should change to look like a green locked padlock.
- A Privileges have been changed successfully message should appear.
The following helper tools are installed to allow Privileges.app the necessary access rights to grant or remove admin rights:
/Library/PrivilegedHelperTools/corp.sap.privileges.helper
/Library/LaunchDaemons/corp.sap.privileges.helper.plist
For more information on privilege elevation using a privileged helper app and LaunchDaemon, please see the link below:
This is by design. The icon is green and displays a locked padlock icon when you are a standard user.
Dock icon for macOS Catalina and earlier:
Dock icon for macOS Big Sur:
The icon is yellow and displays an unlocked padlock icon when you are an administrator.
Dock icon for macOS Catalina and earlier:
Dock icon for macOS Big Sur:
No. Admin rights are granted until some process (like running Privileges.app again) takes them away.
Yes. You can use the Toggle Privileges option on the dock icon to get admin rights for a set amount of time (the default amount is 20 minutes.)
To set the amount of time used by the Toggle Privileges option, use the following procedure:
- Launch Privileges.app
- Click on the Privileges menu and select Preferences
- Select the desired amount of time from the available options.
The Lock Screen toggle option locks your screen.
The Login Window toggle option returns you to the Login Window without logging you out.
Privileges.app supports command line use. To use the PrivilegesCLI command line tool, run /Applications/Privileges.app/Contents/Resources/PrivilegesCLI
followed by the option you want to use.
The PrivilegesCLI command line tool currently supports the following options:
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add
: Adds the logged-in user to the admin group.
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove
: Removes the logged-in user from the admin group.
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --status
: Displays the current user's privileges.
For assistance, please run the following command to display all available options:
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI
Privileges.app uses the system log for logging. To see all logs for Privileges.app in the Console app, you can filter for the corp.sap.privileges.helper
process.
To see only the logging associated with changing admin rights in the Console app, you can filter for log messages containing SAPCorp
.
To access the same logs from the command line, the log
command can be used. To see all logs for Privileges.app using the log
command, the following command can be used:
log show --style syslog --predicate 'process == "corp.sap.privileges.helper"'
To see only the logging associated with changing admin rights, the following command can be used:
log show --style syslog --predicate 'process == "corp.sap.privileges.helper" && eventMessage CONTAINS "SAPCorp"'
- Ensure that your user account has admin rights. If needed, launch Privileges.app one final time to make sure you have them.
- Remove the following files:
/Applications/Privileges.app
/Library/PrivilegedHelperTools/corp.sap.privileges.helper
/Library/LaunchDaemons/corp.sap.privileges.helper.plist
As of Privileges 1.5.0, it is possible to manage settings for Privileges.app or the PrivilegesCLI command line tool using a macOS configuration profile. For more details, please click here.
This project is 'as-is' with no support, no changes being made. You are welcome to make changes to improve it but we are not available for questions or support of any kind.
Found a security-related issue or vulnerability and want to notify us? Please contact us at privileges-security@sap.com
Copyright (c) 2020 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, Version 2.0 except as noted in the LICENSE file.
SUBCOMPONENTS
This project includes the following Apple EvenBetterAuthorizationSample
sample code, which is subject to separate license terms.
Your use of the code included in this project is subject to the separate license terms applicable to
the Apple sample license code.
- Component: Common.h
- Component: Common.m
- Component: HelperTool.h
- Component: HelperTool.m
For more details, please see the the LICENSE file.