Configuring "Find my Mac" without Admin Rights

pditty
New Contributor

We would like our students to be able to configure / setup "Find My Mac" but they do not have administrative privileges. Has anyone worked through this issue?

The students are using 11" MBAs running 10.8.4 They are required to have a Apple ID (High School Kids)

Any suggestions appreciated.

Thanks in advance for any help you can give.
Sincerely,

Paul Price
System Administrator
Eden Prairie Schools, Eden Prairie MN

13 REPLIES 13

jedi1yoda1
New Contributor III

You'll need to edit the /etc/authorization file to include a group that you want to have permission to unlock the Find My Mac features.

See this article for more info on editing the /etc/authorization file:
http://hints.macworld.com/article.php?story=2011081907185974

Here's an Apple Technical Note on the authorization file. While it's about writing your program to use an authorization database, it provides valuable information on how the authorization file is organized: https://developer.apple.com/library/mac/technotes/tn2095/_index.html#//apple_ref/doc/uid/DTS10003110-CH1-SECTION5

bcornwell
New Contributor III

jedi1yoda1,

We have used that method to successfully unlock some other preference panes for non-admins previously, but I don't see anything in the file or the links you suggested that references iCloud or Find My Mac. Can you elaborate?

Brandon Cornwell
Systems Administrator
Eden Prairie Schools

bentoms
Release Candidate Programs Tester

You need to give them access to the users pane + to manage users. IIRC.

Other than that, you know you can remote wipe a mac via find my mac?

Do you want students to have that access?

pditty
New Contributor

bump

RobertHammen
Valued Contributor II

What about using something like:

http://preyproject.com

I haven't tried deploying/configuring it with Casper, but will be in a couple of weeks...

kwsenger
Contributor

pdity,

Have you overcome this in 10.9?
Granting admin rights to non-admin users to use the iCloud pref pane without being prompted for Admin credentials?

Thanks.

Chris_Hafner
Valued Contributor II

I haven't tried it with "iCloud" in specific, but we use authorizationdb to allow access to Printers, Energy Saver, TM and a few other panels with great success. I don't have a 10.8 machine in front of me, but in 10.9 I'm not sure that an administrative password is required. At least it's not on the one in front of me, but that's a development unit and who know s what I've done to it ;-)

RobertHammen
Valued Contributor II

/etc/authorization in previous versions of OS X is a flat file, in Mavericks it moved to a DB. More info on editing it here:

http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/

bcornwell
New Contributor III

sengerk,

Pditty and I have had success with unlocking certain pieces of Sys Prefs for non-admins in 10.9, but still not Find My Mac. We can't find anything in the DB file that is tied to changing the state of FMM. The limitations of items in the DB that you have to work with and the lack of info about what some of them even are is frustrating. This is the best info we have been able to find about it:

http://www.dssw.co.uk/reference/authorization-rights/index.html

As you can see, pretty incomplete.

Here is the script I wrote to unlock a couple other things. It is pretty straight forward assuming you can find a property that you need to change in the DB:

#!/bin/bash

# Unlock System Preferences for non admins:
sudo security authorizationdb write system.preferences allow

# Unlock Energy Saver preference pane:
sudo security authorizationdb write system.preferences.energysaver allow

# Unlock Time Machine preference pane:
sudo security authorizationdb write system.preferences.timemachine allow

exit 0

Brandon Cornwell
Systems Administrator
Eden Prairie Schools

mm2270
Legendary Contributor III

In the link you provided up above (and also referenced by @rtrouton on his blog) I see an authdb right called "com.apple.AOSNotification.FindMyMac.modify" Is that the one you're looking for? Or does that only refer to Notification Center settings? Kind of hard to tell even after exporting the current settings to a plist file.

bcornwell
New Contributor III

I agree - lack of documentation makes it difficult to tell what some of these things are. It seems to me that right only applies to Notification Center. When you dig into its contents you find:

'__APPNAME__ wants to make changes to Find My Mac.',

kwsenger
Contributor

Find My Mac - Standard User - Does NOT prompt Standard Users for Admin credentials after running this command in Terminal or using a Script / Policy scoped correctly.

security authorizationdb write com.apple.AOSNotification.FindMyMac.modify allow

After running that command, a Standard User will not be prompted for an Admin username and password when they try to check Find My Mac in the iCloud preference pane.

GregE
Contributor

@kwsenger 5yrs on and that works in Mojave - thank you!