Question

Admin Privileges for Xcode

Forum|Forum|1 year ago
August 30, 2024
4 replies
244 views

+3

jamesacoker
New Contributor

We have historically given users who teach in Xcode the "Privileges" app from SAP because they insist that they need to run every update that comes out from Apple. Recently we noticed that one user has been abusing this app and installing various unapproved applications without going through IT first. We are wanting to see if there is a way that we can give a standard user the ability to run updates on Xcode only without having administrative privileges to do anything else or install any other applications.

It looks like, in the past, a device (or user maybe?) could have been put into a Developer group which would allow them access to do things in Xcode that a standard user wouldn't, but still not be an admin. From what I have read, this doesn't seem to still be a possibility. Does anyone know if there is a guide to allow this? Or are we stuck using the Privileges app or someone from IT manually entering the admin credentials every time there is an update?

+26

AJPinto
Legendary Contributor
Forum|Forum|1 year ago
August 30, 2024

Just deploy Xcode updates with Jamf, in the Mac App Store Policy check the box to force updates for the app. There is also a configuration profile that allows non-admins to update Appstore apps.

There are still some functions that need admin access for xcode, but adding users to the _developer local group can mitigate some of that.

Like

A

+7

a_hebert
Contributor
Forum|Forum|1 year ago
August 30, 2024

I use a script like this for my non admin users and XCode. Havent tested the ability to update yet so that might be something to try. Here is the scirpt

#!/bin/bash

#identify and add currently logged in user to the developer group

currentUser=$(`ls -la /dev/console | awk '{print $3}'`)

dscl . append /Groups/_developer GroupMembership "$currentUser"
sleep .5
DevToolsSecurity -enable
sleep .5
#install Xcode command line tools

xcode-select --install

sleep .5
#install additional Xcode applications and accept the license

/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -license accept
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg -target /
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg -target /
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/CoreTypes.pkg -target /
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg -target /

Like

+26

AJPinto
Legendary Contributor
Forum|Forum|1 year ago
August 30, 2024

Just deploy Xcode updates with Jamf, in the Mac App Store Policy check the box to force updates for the app. There is also a configuration profile that allows non-admins to update Appstore apps.

There are still some functions that need admin access for xcode, but adding users to the _developer local group can mitigate some of that.

@a_hebert providing their script it inspired me to dig my script up lol.

Apple added a workflow for _developer group some time back, and made no documentation about it. Several of the checks in Xcode are looking for the user to be a member of administrators or _developer. This is one of the many workflows in Apple software you just have to figure out unfortunately.

#!/bin/bash
#*=============================================================================  
#* Script Name: Xcode_Developer_GroupPrivilege
#* Created: 
#* Author: 
#*=============================================================================  
#* Purpose: 
#*      - Remap the authorization policies so members of the _developer group
#*      - Add $ActiveUser to _developer
#*=============================================================================
#* GLOBAL VARIABLE  
#*=============================================================================  
DIV1='echo ####################################################################'
DIV2='echo --------------------------------------------------------------------'
DIV3='echo ....................................................................'
ActiveUserID=`/bin/ls -l /dev/console \\
    | /usr/bin/awk '{ print $3 }'`
ActiveUser=`/bin/ls -l /dev/console \\
    | /usr/bin/awk '{ print $3 }' \\
    | tr "[a-z]" "[A-Z]"`
ActiveUserRealName=`dscl . -read /Users/$ActiveUser \\
    | grep RealName: \\
    | cut -c11-`
if [[ -z $ActiveUserRealName ]]; then
    ActiveUserRealName=`dscl . -read /Users/$ActiveUser \\
    | awk '/^RealName:/,/^RecordName:/' \\
    |sed -n 2p | cut -c 2-`
fi
#*=============================================================================  
#* BODY 
#*=============================================================================  
# Remap the authorization policies for _developer group
echo "Remaping authorization policies for _developer group"
sudo DevToolsSecurity -enable
$DIV3

# Checking for User ID in _developer group
echo "Checking group membership for _developer"
GroupMembershipCheck=$(sudo dscl . read /Groups/_developer | grep "$ActiveUserID")

if [ -z $GroupMembershipCheck ]; then 
    echo "...User id ($ActiveUserID) was not found in _developer group"
    echo "...Proceeding to add user $ActiveUserID to _developer group"

    # Add ActiveUser id to the _developer group
    echo "...Append $ActiveUserID to _developer group"
    sudo dscl . append /Groups/_developer GroupMembership $ActiveUserID
else
    echo "...User id ($ActiveUserID) already in _developer group"
    echo "...No further action needed"
    exit
fi
$DIV3
#*=============================================================================  
#* END 
#*=============================================================================

Like

+2

MemnochTheRed
Contributor
Forum|Forum|25 days ago
November 4, 2025

Just cleaning up previous scripting so it is easy to copy and read.

#!/bin/zsh --no-rcs

#*=======================================================
#* Script Name: Xcode_Developer_GroupPrivilege #* Created: #* Author:
#* Purpose:
#* - Remap the authorization policies so members of the _developer group
#* - Add $ActiveUser to _developer
#*=======================================================
#* GLOBAL VARIABLE
#*=======================================================
DIV1='echo ####################################################################'
DIV2='echo --------------------------------------------------------------------'
DIV3='echo ....................................................................'
ActiveUserID=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
ActiveUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'| tr "[a-z]" "[A-Z]")
ActiveUserRealName=$(dscl . -read /Users/$ActiveUser| grep RealName:| cut -c11-)
if [[ -z $ActiveUserRealName ]]; then
	ActiveUserRealName=$(dscl . -read /Users/$ActiveUser| awk '/^RealName:/,/^RecordName:/'| sed -n 2p | cut -c 2-)
fi
#*=======================================================
#* BODY
#*=======================================================
# Remap the authorization policies for _developer group
echo "Remaping authorization policies for _developer group"
sudo DevToolsSecurity -enable
$DIV3
# Checking for User ID in _developer group
echo "Checking group membership for _developer"
GroupMembershipCheck=$(sudo dscl . read /Groups/_developer | grep "$ActiveUserID")
if [[ -z $GroupMembershipCheck ]]; then
	echo "...User id ($ActiveUserID) was not found in _developer group"
	echo "...Proceeding to add user $ActiveUserID to _developer group"
	# Add ActiveUser id to the _developer group
	echo "...Append $ActiveUserID to _developer group"
	sudo dscl . append /Groups/_developer GroupMembership $ActiveUserID
else
	echo "...User id ($ActiveUserID) already in _developer group"
	echo "...No further action needed"
	exit
fi
$DIV3
#*=======================================================
#* END
#*=======================================================

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded