Posted on 09-03-2013 09:12 AM
We would like our students to be able to configure / setup "Find My Mac" but they do not have administrative privileges. Has anyone worked through this issue?
The students are using 11" MBAs running 10.8.4 They are required to have a Apple ID (High School Kids)
Any suggestions appreciated.
Thanks in advance for any help you can give.
Sincerely,
Paul Price
System Administrator
Eden Prairie Schools, Eden Prairie MN
Posted on 09-03-2013 12:24 PM
You'll need to edit the /etc/authorization file to include a group that you want to have permission to unlock the Find My Mac features.
See this article for more info on editing the /etc/authorization file:
http://hints.macworld.com/article.php?story=2011081907185974
Here's an Apple Technical Note on the authorization file. While it's about writing your program to use an authorization database, it provides valuable information on how the authorization file is organized: https://developer.apple.com/library/mac/technotes/tn2095/_index.html#//apple_ref/doc/uid/DTS10003110-CH1-SECTION5
Posted on 09-04-2013 09:46 AM
jedi1yoda1,
We have used that method to successfully unlock some other preference panes for non-admins previously, but I don't see anything in the file or the links you suggested that references iCloud or Find My Mac. Can you elaborate?
Brandon Cornwell
Systems Administrator
Eden Prairie Schools
Posted on 09-04-2013 12:30 PM
You need to give them access to the users pane + to manage users. IIRC.
Other than that, you know you can remote wipe a mac via find my mac?
Do you want students to have that access?
Posted on 09-05-2013 01:03 PM
bump
Posted on 09-05-2013 01:41 PM
What about using something like:
http://preyproject.com
I haven't tried deploying/configuring it with Casper, but will be in a couple of weeks...
Posted on 10-09-2014 08:01 AM
pdity,
Have you overcome this in 10.9?
Granting admin rights to non-admin users to use the iCloud pref pane without being prompted for Admin credentials?
Thanks.
Posted on 10-10-2014 05:41 AM
I haven't tried it with "iCloud" in specific, but we use authorizationdb to allow access to Printers, Energy Saver, TM and a few other panels with great success. I don't have a 10.8 machine in front of me, but in 10.9 I'm not sure that an administrative password is required. At least it's not on the one in front of me, but that's a development unit and who know s what I've done to it ;-)
Posted on 10-10-2014 06:07 AM
/etc/authorization in previous versions of OS X is a flat file, in Mavericks it moved to a DB. More info on editing it here:
http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/
Posted on 10-10-2014 06:37 AM
sengerk,
Pditty and I have had success with unlocking certain pieces of Sys Prefs for non-admins in 10.9, but still not Find My Mac. We can't find anything in the DB file that is tied to changing the state of FMM. The limitations of items in the DB that you have to work with and the lack of info about what some of them even are is frustrating. This is the best info we have been able to find about it:
http://www.dssw.co.uk/reference/authorization-rights/index.html
As you can see, pretty incomplete.
Here is the script I wrote to unlock a couple other things. It is pretty straight forward assuming you can find a property that you need to change in the DB:
#!/bin/bash
# Unlock System Preferences for non admins:
sudo security authorizationdb write system.preferences allow
# Unlock Energy Saver preference pane:
sudo security authorizationdb write system.preferences.energysaver allow
# Unlock Time Machine preference pane:
sudo security authorizationdb write system.preferences.timemachine allow
exit 0
Brandon Cornwell
Systems Administrator
Eden Prairie Schools
Posted on 10-10-2014 07:32 AM
In the link you provided up above (and also referenced by @rtrouton on his blog) I see an authdb right called "com.apple.AOSNotification.FindMyMac.modify" Is that the one you're looking for? Or does that only refer to Notification Center settings? Kind of hard to tell even after exporting the current settings to a plist file.
Posted on 10-10-2014 08:28 AM
I agree - lack of documentation makes it difficult to tell what some of these things are. It seems to me that right only applies to Notification Center. When you dig into its contents you find:
'__APPNAME__ wants to make changes to Find My Mac.',
Posted on 10-14-2014 10:15 AM
Find My Mac - Standard User - Does NOT prompt Standard Users for Admin credentials after running this command in Terminal or using a Script / Policy scoped correctly.
security authorizationdb write com.apple.AOSNotification.FindMyMac.modify allow
After running that command, a Standard User will not be prompted for an Admin username and password when they try to check Find My Mac in the iCloud preference pane.
Posted on 12-10-2019 09:11 PM
@kwsenger 5yrs on and that works in Mojave - thank you!