Help

Admin Privileges for Xcode

jamesacoker
New Contributor

3 weeks ago

We have historically given users who teach in Xcode the "Privileges" app from SAP because they insist that they need to run every update that comes out from Apple. Recently we noticed that one user has been abusing this app and installing various unapproved applications without going through IT first. We are wanting to see if there is a way that we can give a standard user the ability to run updates on Xcode only without having administrative privileges to do anything else or install any other applications.

It looks like, in the past, a device (or user maybe?) could have been put into a Developer group which would allow them access to do things in Xcode that a standard user wouldn't, but still not be an admin. From what I have read, this doesn't seem to still be a possibility. Does anyone know if there is a guide to allow this? Or are we stuck using the Privileges app or someone from IT manually entering the admin credentials every time there is an update?

0 Kudos
3 REPLIES 3

AJPinto
Honored Contributor III

3 weeks ago

Just deploy Xcode updates with Jamf, in the Mac App Store Policy check the box to force updates for the app. There is also a configuration profile that allows non-admins to update Appstore apps.

 

There are still some functions that need admin access for xcode, but adding users to the _developer local group can mitigate some of that.

 

 

 

AJPinto_0-1725024342167.png

 

0 Kudos

AJPinto
Honored Contributor III
In response to AJPinto

3 weeks ago

@a_hebert providing their script it inspired me to dig my script up lol.

Apple added a workflow for _developer group some time back, and made no documentation about it. Several of the checks in Xcode are looking for the user to be a member of administrators or _developer. This is one of the many workflows in Apple software you just have to figure out unfortunately.

 

#!/bin/bash
#*=============================================================================  
#* Script Name: Xcode_Developer_GroupPrivilege
#* Created: 
#* Author: 
#*=============================================================================  
#* Purpose: 
#*      - Remap the authorization policies so members of the _developer group
#*      - Add $ActiveUser to _developer
#*=============================================================================
#* GLOBAL VARIABLE  
#*=============================================================================  
DIV1='echo ####################################################################'
DIV2='echo --------------------------------------------------------------------'
DIV3='echo ....................................................................'
ActiveUserID=`/bin/ls -l /dev/console \
    | /usr/bin/awk '{ print $3 }'`
ActiveUser=`/bin/ls -l /dev/console \
    | /usr/bin/awk '{ print $3 }' \
    | tr "[a-z]" "[A-Z]"`
ActiveUserRealName=`dscl . -read /Users/$ActiveUser \
    | grep RealName: \
    | cut -c11-`
if [[ -z $ActiveUserRealName ]]; then
    ActiveUserRealName=`dscl . -read /Users/$ActiveUser \
    | awk '/^RealName:/,/^RecordName:/' \
    |sed -n 2p | cut -c 2-`
fi
#*=============================================================================  
#* BODY 
#*=============================================================================  
# Remap the authorization policies for _developer group
echo "Remaping authorization policies for _developer group"
sudo DevToolsSecurity -enable
$DIV3

# Checking for User ID in _developer group
echo "Checking group membership for _developer"
GroupMembershipCheck=$(sudo dscl . read /Groups/_developer | grep "$ActiveUserID")

if [ -z $GroupMembershipCheck ]; then 
    echo "...User id ($ActiveUserID) was not found in _developer group"
    echo "...Proceeding to add user $ActiveUserID to _developer group"

    # Add ActiveUser id to the _developer group
    echo "...Append $ActiveUserID to _developer group"
    sudo dscl . append /Groups/_developer GroupMembership $ActiveUserID
else
    echo "...User id ($ActiveUserID) already in _developer group"
    echo "...No further action needed"
    exit
fi
$DIV3
#*=============================================================================  
#* END 
#*=============================================================================

 

0 Kudos

a_hebert
Contributor

3 weeks ago

I use a script like this for my non admin users and XCode.  Havent tested the ability to update yet so that might be something to try.   Here is the scirpt

 

#!/bin/bash

#identify and add currently logged in user to the developer group

currentUser=$(`ls -la /dev/console | awk '{print $3}'`)

dscl . append /Groups/_developer GroupMembership "$currentUser"
sleep .5
DevToolsSecurity -enable
sleep .5
#install Xcode command line tools

xcode-select --install

sleep .5
#install additional Xcode applications and accept the license

/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -license accept
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg -target /
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg -target /
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/CoreTypes.pkg -target /
sleep .5
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg -target /

0 Kudos