Posted on 03-18-2024 02:34 AM
Hi all,
We are pushing a script to allow users to change date and time as below:
##Allow User to Change Time
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.dateandtime.changetimezone allow
security authorizationdb write system.preferences.datetime authenticate-session-owner-or-admin
This was working fine until now, but it stopped. Did apple changed the preference settings?
Posted on 03-18-2024 04:56 AM
you would think that their time would just be correct...we're having this issue too
Posted on 03-18-2024 05:32 AM
With how things have been changing with NIST, I could see apple blocking this. One of the NIST guidelines is to ensure time is set securely for SIEM logging. Allowing users to change time at their own discretion breaks timelines on event logging.
Posted on 03-18-2024 07:34 AM
lol gold. I've just confirmed this works on 14.4, specifically this line;
security authorizationdb write system.preferences.datetime allow
I couldn't find a key that exists (anymore?) for: system.preferences.dateandtime.changetimezone
Good reference https://www.dssw.co.uk/reference/authorization-rights/system-preferences-datetime
Your last command uses a rule that requires auth of either standard or admin user eg. authenticate-session-owner-or-admin which contradicts the previous allow line? i think.
Anyway, see if this works the way you intended, all ok in my environment with the example lines below;
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.printing allow
Posted on 03-18-2024 07:35 AM
i think it may be the CIS Level 1 blocking this
03-18-2024 03:00 PM - edited 03-18-2024 03:18 PM
This didn’t work!?
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.dateandtime.changetimezone allow
security authorizationdb write system.preferences.datetime authenticate-session-owner-or-admin
security authorizationdb write system.settings.datetime allow