Allow Security Preference Pane non admin

tkimpton
Valued Contributor II

Hi all

Has anyone been able to unlock the security preference pane as a non admin ?

i have tried different combinations but cannot get it unlocked including:

security authorizationdb write system.preferences allow

security authorizationdb write system.preferences.security allow

5 REPLIES 5

tkimpton
Valued Contributor II

this is for 10.11.6

ericbenfer
Contributor III

You cannot configure the security preference pane for that.
You can configure some preference panes to be unlocked by non-admin users.

In my testing these are the preference panes you can configure to allow access by non-admin users:
Energy Saver Prefs
Printing Prefs
Date and Time Prefs
Startup Disk Prefs
Time Machine Prefs
Network Prefs

Here is an example of how to enable non-admin access to energy saver and printing prefs.

#!/bin/sh
# This must be set to if you are going to allow non-admin access to any of the preference panes.
/usr/bin/security authorizationdb read  system.preferences > /tmp/system.preferences.plist
/usr/bin/defaults write /tmp/system.preferences.plist group everyone
/usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist
#
# enable non-admin access to the energy saver prefs
/usr/bin/security authorizationdb read  system.preferences.energysaver > /tmp/system.preferences.energysaver.plist
/usr/bin/defaults write /tmp/system.preferences.energysaver.plist group everyone
/usr/bin/security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plist
#
# enable non-admin access to the printing prefs
/usr/bin/security authorizationdb read  system.preferences.printing > /tmp/system.preferences.printing.plist
/usr/bin/defaults write /tmp/system.preferences.printing.plist group everyone
/usr/bin/security authorizationdb write system.preferences.printing < /tmp/system.preferences.printing.plist
# You must also add everyone to the lpadmin group
/usr/sbin/dseditgroup -o edit -n /Local/Default -a "everyone" -t group lpadmin

For details on the "security authorizationdb" command see Rich Trouton's blog.
http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/

Eric

tkimpton
Valued Contributor II

@ericbenfer thanks for the information :)

thomH
New Contributor III

This post also addressed this issue very well: (https://scriptingosx.com/2018/05/demystifying-root-on-macos-part-4-the-authorization-database/)

darshanp
New Contributor

@tkimpton did you find a way to set system.preferences.security to be accessed my non admins?
I'm mostly after unlocking Accessibility under Privacy as certain apps need that permission to function.