+3Guys, I'm trying to allow users to with managed, mobile accounts to add network interfaces without authenticating as admin.
Specifically, I have Students with MacBook Airs that need to use Thunderbolt to Ethernet Adapters. They can "add" the interface with no problem, but when they click Apply, it requires Admin credentials.
Any ideas?
Best answer by colonelpanic
There may be an easier way to do this, but here is how I would do it:
cp -pr /etc/authorization /private/tmp/authorization
#Make all network users a part of the lpadmin group
dseditgroup -o edit -n /Local/Default -a Domain Users -t group lpadmin
# Unlock the Network Settings preference pane for the lpadmin group
/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group lpadmin' /private/tmp/authorization
#Change network settings to allow lpadmin to make network changes
/usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule root-or-lpadmin' /private/tmp/authorization
/bin/mv /private/tmp/authorization /etc/authorization
chown root /etc/authorization
chown :wheel /etc/authorization
+1You can probably edit a key in this file to allow everyone to add a new network interface
/private/etc/authorization
+7There may be an easier way to do this, but here is how I would do it:
cp -pr /etc/authorization /private/tmp/authorization
#Make all network users a part of the lpadmin group
dseditgroup -o edit -n /Local/Default -a Domain Users -t group lpadmin
# Unlock the Network Settings preference pane for the lpadmin group
/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group lpadmin' /private/tmp/authorization
#Change network settings to allow lpadmin to make network changes
/usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule root-or-lpadmin' /private/tmp/authorization
/bin/mv /private/tmp/authorization /etc/authorization
chown root /etc/authorization
chown :wheel /etc/authorization
+3Thanks for the help.
I've seen a lot of scripts that use PlistBuddy around here, but I don't think any of our machines have it installed. Is that something that I could install remotely?
...making a long list of things to accomplish at imaging next summer :)
+24PlistBuddy is/should be installed by default unless your Macs are running a very old version of OS X.
But it has to be specified with the full path because its in /usr/libexec, so as long as you call it in the script like
/usr/libexec/PlistBuddyyou should be fine
+16I was struggling with 10.9 as well - apparently Apple removed the /etc/authorization file and replaced with a new SQLite3 database located at /var/db/auth.d. I came across this reading for solutions:
– http://www.afp548.com/2013/10/22/modifying-the-os-x-mavericks-authorization-database/
– https://jamfnation.jamfsoftware.com/discussion.html?id=8900
+31I've also got a post on modifying the authorization database in Mavericks. It's available from here:
http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/
+4Hi @[rtrouton](rtrouton),
Thanks for the genius post!
I, however am facing another issue. I have the following command in my post install script, still after installation of OS and this script, when I click on Network Preferences I get prompt - 'A new network interface has been detected'. Unfortunately I can't find any post anywhere to fix this.
#First I have the following line:
networksetup -setnetworkserviceenabled "Thunderbolt Bridge" "off"
#and then I have done following lines as well to give access to users on Network Preferences, which seems working well.
security authorizationdb write system.preferences.network allow
security authorizationdb write system.services.systemconfiguration.network allow
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
