Allow non admin users to change date and time on Ventura/Sonoma

cosminnita
New Contributor II

Hi all,

 

We are pushing a script to allow users to change date and time as below:

##Allow User to Change Time

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.dateandtime.changetimezone allow
security authorizationdb write system.preferences.datetime authenticate-session-owner-or-admin

 

This was working fine until now, but it stopped. Did apple changed the preference settings?

 

5 REPLIES 5

danlaw777
Contributor III

you would think that their time would just be correct...we're having this issue too

AJPinto
Honored Contributor III

With how things have been changing with NIST, I could see apple blocking this. One of the NIST guidelines is to ensure time is set securely for SIEM logging. Allowing users to change time at their own discretion breaks timelines on event logging.

Bol
Valued Contributor

lol gold. I've just confirmed this works on 14.4, specifically this line;
security authorizationdb write system.preferences.datetime allow

I couldn't find a key that exists (anymore?) for: system.preferences.dateandtime.changetimezone
Good reference https://www.dssw.co.uk/reference/authorization-rights/system-preferences-datetime

Your last command uses a rule that requires auth of either standard or admin user eg. authenticate-session-owner-or-admin which contradicts the previous allow line? i think.

Anyway, see if this works the way you intended, all ok in my environment with the example lines below;
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.printing allow

cosminnita
New Contributor II

i think it may be the CIS Level 1 blocking this 

Bol
Valued Contributor

This didn’t work!?

security authorizationdb write system.preferences allow 
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.dateandtime.changetimezone allow
security authorizationdb write system.preferences.datetime authenticate-session-owner-or-admin
security authorizationdb write system.settings.datetime allow