Enabling non-admin users to access the "Security & Privacy" preference panel in Mavericks

xyz1347
New Contributor

Hey Everyone,

I'm trying to write a script that would enable non admin users to make changes to the security and privacy panel in system preferences. I have a script that unlocks other panels fine but doesn't seem to work for this one.
It looks kinda like this:

security authorizationdb read system.preferences.energysaver > /tmp/system.preferences.energysaver.plist
/usr/libexec/PlistBuddy -c 'set group everyone' /tmp/system.preferences.energysaver.plist
security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plist

This script works fine and "unlocks" the Energy Saver preference panel. However, pointing it to "system.preferences.security" doesn't unlock the panel.

Anyone have an idea about how to fix this?

18 REPLIES 18

RobertHammen
Valued Contributor II

You're close... read @rtrouton's excellent blog post on the security command and the authorizationdb in Mavericks here:

http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/

jrserapio
Contributor

@xyz1347 I had go through this recently too. When I made changes to system.preferences.security, the lock was still locked. When i clicked the lock to authenticate, the standard user was listed under user name. I was able to enter my password, but then got a prompt to unlock remote something, which was not authorized for the standard user. When i made changes to the below items, a standard user was able to modify the security & privacy panes. We are using Custom Config profiles to block the "turn off File Vault" and blocking modifying Gatekeeper settings.

You may or may not be able to make changes on those based on your Organization. Upon checking looks like when you unlock the Security Pref Pane, it also needs authorization to the following:
system.preferences.security.remotepair
"Used by Bezel Services to gate IR remote pairing."
The remote pair is for the Apple IR remote.

system.services.directory.configure "For making Directory Services changes."
Allows the authorized user to unlock the Directory Utility app. Still would need a network admin account to unbind though.

com.apple.DiskManagement.reserveKEK "Used by diskmanagementd to allow use of the reserve KEK."
i haven't gotten to digging on this one.

Hope this helps you.

normanchan
New Contributor II

@xyz1347 @jrserapio

Sorry to bump this -- I was wondering if anyone has figured out how to unlock Security&Privacy > Privacy for non-admin accounts. I saw from an other post to use Privacy Services Manager but I'm trying to see if anyone found a native way to do it.

TIA!

easyedc
Valued Contributor II

+1 for @rtrouton's post.

With the move of authorization rights into a database, the old methods of editing authorization rights with a text editor no longer work. Instead, there are now three possible methods for adding, deleting and changing authorization rights: The security command line tool Using SQLite commands to modify the database Modifying the authorization.plist file located at /System/Library/Security, then removing the existing /var/db/auth.db database Of these three, the Apple-supported method is to use the security command line tool so I will be focusing on that approach.

We've used the below to unlock timezones from users (because we hard code our internal time server).

#!/bin/sh
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
exit 0

Just find the string you need to edit and you're done.

normanchan
New Contributor II

I've been able to dig up information on unlocking Date/Time, EnergySaver, Network, Printing, TimeMachine....the only one that I'm stuck at is Location Services under Security&Privacy>Privacy.

I'd be happy if I could find a way to unlock all of Privacy even just so end users can remove approved apps from location services. I've tried multiple security authorizationdb writes and only have gone as far as getting the "System Preferences is trying to modify an encrypted disk" prompt.

46698903598a4dcda6df9ad9d4c4689e

I was able to get that far by using these:
security authorizationdb write system.preferences.SecurityPrivacy allow
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.security allow
security authorizationdb write system.preferences.security.remotepair allow

Can't get pass the encrypted disk, tho I've tried these:
security authorizationdb write com.apple.DiskManagement.reserverKEK allow
security authorizationdb write system.services.directory.configure allow

I'm using this as reference of possible authorization rights:
http://www.dssw.co.uk/reference/authorization-rights/index.html

jsilverman29
New Contributor

@normanchan did you ever find a solution to unlocking the encrypted disk? i.e. solving the final pop up "System Preferences is trying to modify an encrypted disk"

Thanks in advance

Chuey
Contributor III

@jsilverman29 @normanchan I'm attemping to unlock Security and Privacy on macOS Mojave but the following didn't seem to do anything?

security authorizationdb write system.preferences.SecurityPrivacy allow
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.security allow

Am I doing something wrong ? Does order matter when running those ?

Chris_Hafner
Valued Contributor II

That's the old way now! Try using this
https://github.com/jamf/PPPC-Utility

Chuey
Contributor III

@Chris_Hafner I have used the PPPC Utility before. Great tool. What exactly would I load into the PPPC Utility? System preferences ? Then run those commands? thank you for the clarification!!

Chris_Hafner
Valued Contributor II

Sorry, I'm beating around the bush. Apple "really" doesn't want that to work that way anymore. At least, not with the security preference pane. However, this thread might point you in the direction you're looking for. https://github.com/mathiasbynens/dotfiles/issues/849

Chris_Hafner
Valued Contributor II

Also @Chuey I didn't answer your question directly. Sorry about that. The security and privacy pane is now generally locked down to keep us, admins, and others from doing just this. There is no simple plist that can be edited by something like defaults write to achieve what you're asking. They [Apple] want everything (Each security item) to be very discrete, and specifically locked or unlocked.

Chuey
Contributor III

@Chris_Hafner That is awful to hear. HAHA, having the ability as an admin to lock/unlock things is nice. So I guess I'm stuck and there is no real solution any longer?

Chris_Hafner
Valued Contributor II

It's a balance. Some of the things we can preset with profiles (PPPC Utility) and the rest is educating the users on how to manage their access to things like cameras or microphone. Was there a specific issue you wanted to solve?

Chuey
Contributor III

@Chris_Hafner Right now most things I can whitelist with PPPC Utility i believe but I hate that you cannot allow screen recording and only deny. I wish they would give us the ability to allow in future. Some users said they needed to allow for google meets to share their screen.

adamcodega
Valued Contributor

The preference pane does not need to be unlocked to allow (check off) apps in Screen Recording, Camera, Microphone, and a few other sections. You can make changes in these panes as a non admin user.

Chuey
Contributor III

@adamcodega So if I'm understanding correctly some tabs (Camera, Mic) will not be greyed out but others will? Such as accessibility, full disk access, and location services ( as an example) ?

Chris_Hafner
Valued Contributor II

@Chuey Yes.

user-VxGiOHljaC
New Contributor

Does it matter which version of application is installed? so the screen capture setting "let standard users approve" over PPPC will still work if i update skype for business for example but the PPPC profile was created with old version