- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 06:25 AM
Guys, I'm trying to allow users to with managed, mobile accounts to add network interfaces without authenticating as admin.
Specifically, I have Students with MacBook Airs that need to use Thunderbolt to Ethernet Adapters. They can "add" the interface with no problem, but when they click Apply, it requires Admin credentials.
Any ideas?
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 10:59 AM
There may be an easier way to do this, but here is how I would do it:
cp -pr /etc/authorization /private/tmp/authorization
#Make all network users a part of the lpadmin group
dseditgroup -o edit -n /Local/Default -a Domain Users -t group lpadmin
# Unlock the Network Settings preference pane for the lpadmin group
/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group lpadmin' /private/tmp/authorization
#Change network settings to allow lpadmin to make network changes
/usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule root-or-lpadmin' /private/tmp/authorization
/bin/mv /private/tmp/authorization /etc/authorization
chown root /etc/authorization
chown :wheel /etc/authorization

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 12:32 PM
PlistBuddy is/should be installed by default unless your Macs are running a very old version of OS X.
But it has to be specified with the full path because its in /usr/libexec, so as long as you call it in the script like
/usr/libexec/PlistBuddy
you should be fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 09:55 AM
You can probably edit a key in this file to allow everyone to add a new network interface
/private/etc/authorization

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 10:59 AM
There may be an easier way to do this, but here is how I would do it:
cp -pr /etc/authorization /private/tmp/authorization
#Make all network users a part of the lpadmin group
dseditgroup -o edit -n /Local/Default -a Domain Users -t group lpadmin
# Unlock the Network Settings preference pane for the lpadmin group
/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group lpadmin' /private/tmp/authorization
#Change network settings to allow lpadmin to make network changes
/usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule root-or-lpadmin' /private/tmp/authorization
/bin/mv /private/tmp/authorization /etc/authorization
chown root /etc/authorization
chown :wheel /etc/authorization
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 12:25 PM
Thanks for the help.
I've seen a lot of scripts that use PlistBuddy around here, but I don't think any of our machines have it installed. Is that something that I could install remotely?
...making a long list of things to accomplish at imaging next summer :)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 12:32 PM
PlistBuddy is/should be installed by default unless your Macs are running a very old version of OS X.
But it has to be specified with the full path because its in /usr/libexec, so as long as you call it in the script like
/usr/libexec/PlistBuddy
you should be fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 12:54 PM
that just changed my life. Now off to testing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-18-2014 06:59 AM
humm no success with Mavericks 10.9.2 :( any idea?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2014 08:49 AM
I was struggling with 10.9 as well - apparently Apple removed the /etc/authorization file and replaced with a new SQLite3 database located at /var/db/auth.d. I came across this reading for solutions:
– http://www.afp548.com/2013/10/22/modifying-the-os-x-mavericks-authorization-database/
– https://jamfnation.jamfsoftware.com/discussion.html?id=8900

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2014 09:19 AM
I've also got a post on modifying the authorization database in Mavericks. It's available from here:
http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-02-2014 02:43 PM
Hi @[rtrouton](rtrouton),
Thanks for the genius post!
I, however am facing another issue. I have the following command in my post install script, still after installation of OS and this script, when I click on Network Preferences I get prompt - 'A new network interface has been detected'. Unfortunately I can't find any post anywhere to fix this.
#First I have the following line:
networksetup -setnetworkserviceenabled "Thunderbolt Bridge" "off"
#and then I have done following lines as well to give access to users on Network Preferences, which seems working well.
security authorizationdb write system.preferences.network allow
security authorizationdb write system.services.systemconfiguration.network allow
