- Jamf Nation Community
- Products
- Jamf Now
- Re: SAP Privileges no longer working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2024 07:57 AM
We are on Jamf Now and I have added SAP Privileges to all the devices to allow my team to make themselves an admin. This is installed via the App Installer and added to the device Blueprint. It was working well, but I think recently it automatically updated to version 2.0 of Privileges, and now has stopped allowing users to escalate themselves to admin - everyone is stuck as a standard user.
I suspect this is because the new 2.0 upgrade needed to reinstall the Helper tool, but when it auto-updated the users were all in standard access mode. And now we are stuck with no way to change this. Is there a way to prompt Jamf to install the Helper tool so that Privileges will work again?
Solved! Go to Solution.
Reply
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Here's my Version 2 Configuration Profile. I'm exporting logs to a SIEM, so I have settings for that there. Once again, I don't know how you had version 1 configured, but there are no more Privileged Helper tools.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExpirationInterval</key>
<integer>30</integer>
<key>RequireAuthentication</key>
<true/>
<key>AllowCLIBiometricAuthentication</key>
<true/>
<key>RevokePrivilegesAtLogin</key>
<true/>
<key>ReasonRequired</key>
<true/>
<key>ReasonMinLength</key>
<integer>10</integer>
<key>HideSettingsButton</key>
<true/>
<key>RemoteLogging</key>
<dict>
<key>EnableTCP</key>
<false/>
<key>ServerAddress</key>
<string>Your Server Here</string>
<key>ServerPort</key>
<integer>Your Port Here</integer>
<key>ServerType</key>
<string>syslog</string>
<key>SyslogOptions</key>
<dict>
<key>LogFacility</key>
<integer>Your Facility Here</integer>
<key>LogSeverity</key>
<integer>Your Severity Here</integer>
<key>MaximumMessageSize</key>
<integer>Your Maximum Size Here</integer>
</dict>
</dict>
</dict>
</plist>
Reply
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2024 08:51 AM
There are updated configuration profile options for version 2. It's outlined here: https://github.com/SAP/macOS-enterprise-privileges/wiki/Managing-Privileges
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2024 01:54 AM
@daniel_behan Thanks for this. I am finding the docs a bit confusing to be honest. I can see a set of example Profiles, which I have one in place that matches the parameters in these. Then at the bottom there is an entirely different Profile, with a bunch of parameters I don't see documented anywhere. Do you know if there is documentation for this somewhere?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2024 05:06 AM
I'd need to know how your version 1 was setup. The big difference is there's no Helper Tool in /Library/PrivilegedHelperTools. So if it's still there, it's a remnant of version 1. I'd compare your original config profile with the new examples and look for items that can be swapped. For me DockToggleTimeout changed to ExpirationInterval, which was the biggest difference. I only have the app deployed to members of a specific group, so I didn't need to change any settings related to user or group limitations.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
I am still struggling with this to be honest. I have copied over one of the example profiles from the repo and loaded that, but still not working. Would you be willing to share the profile you are using?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Here's my Version 2 Configuration Profile. I'm exporting logs to a SIEM, so I have settings for that there. Once again, I don't know how you had version 1 configured, but there are no more Privileged Helper tools.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExpirationInterval</key>
<integer>30</integer>
<key>RequireAuthentication</key>
<true/>
<key>AllowCLIBiometricAuthentication</key>
<true/>
<key>RevokePrivilegesAtLogin</key>
<true/>
<key>ReasonRequired</key>
<true/>
<key>ReasonMinLength</key>
<integer>10</integer>
<key>HideSettingsButton</key>
<true/>
<key>RemoteLogging</key>
<dict>
<key>EnableTCP</key>
<false/>
<key>ServerAddress</key>
<string>Your Server Here</string>
<key>ServerPort</key>
<integer>Your Port Here</integer>
<key>ServerType</key>
<string>syslog</string>
<key>SyslogOptions</key>
<dict>
<key>LogFacility</key>
<integer>Your Facility Here</integer>
<key>LogSeverity</key>
<integer>Your Severity Here</integer>
<key>MaximumMessageSize</key>
<integer>Your Maximum Size Here</integer>
</dict>
</dict>
</dict>
</plist>
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
Many thanks for all your help Daniel. Today it updated to version 2.1.0 of the Privileges app, and all seems to have resolved itself!
