Posted on 08-20-2014 10:31 AM
Hey Everyone,
I'm trying to write a script that would enable non admin users to make changes to the security and privacy panel in system preferences. I have a script that unlocks other panels fine but doesn't seem to work for this one.
It looks kinda like this:
security authorizationdb read system.preferences.energysaver > /tmp/system.preferences.energysaver.plist
/usr/libexec/PlistBuddy -c 'set group everyone' /tmp/system.preferences.energysaver.plist
security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plist
This script works fine and "unlocks" the Energy Saver preference panel. However, pointing it to "system.preferences.security" doesn't unlock the panel.
Anyone have an idea about how to fix this?
Posted on 08-20-2014 12:48 PM
You're close... read @rtrouton's excellent blog post on the security command and the authorizationdb in Mavericks here:
http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/
Posted on 08-27-2014 03:25 PM
@xyz1347 I had go through this recently too. When I made changes to system.preferences.security, the lock was still locked. When i clicked the lock to authenticate, the standard user was listed under user name. I was able to enter my password, but then got a prompt to unlock remote something, which was not authorized for the standard user. When i made changes to the below items, a standard user was able to modify the security & privacy panes. We are using Custom Config profiles to block the "turn off File Vault" and blocking modifying Gatekeeper settings.
You may or may not be able to make changes on those based on your Organization.
Upon checking looks like when you unlock the Security Pref Pane, it also needs authorization to the following:
system.preferences.security.remotepair
"Used by Bezel Services to gate IR remote pairing."
The remote pair is for the Apple IR remote.
system.services.directory.configure
"For making Directory Services changes."
Allows the authorized user to unlock the Directory Utility app. Still would need a network admin account to unbind though.
com.apple.DiskManagement.reserveKEK
"Used by diskmanagementd to allow use of the reserve KEK."
i haven't gotten to digging on this one.
Hope this helps you.
Posted on 01-11-2017 02:45 PM
Sorry to bump this -- I was wondering if anyone has figured out how to unlock Security&Privacy > Privacy for non-admin accounts. I saw from an other post to use Privacy Services Manager but I'm trying to see if anyone found a native way to do it.
TIA!
Posted on 01-12-2017 05:57 AM
+1 for @rtrouton's post.
With the move of authorization rights into a database, the old methods of editing authorization rights with a text editor no longer work. Instead, there are now three possible methods for adding, deleting and changing authorization rights: The security command line tool Using SQLite commands to modify the database Modifying the authorization.plist file located at /System/Library/Security, then removing the existing /var/db/auth.db database Of these three, the Apple-supported method is to use the security command line tool so I will be focusing on that approach.
We've used the below to unlock timezones from users (because we hard code our internal time server).
#!/bin/sh
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
exit 0
Just find the string you need to edit and you're done.
Posted on 01-12-2017 07:40 AM
I've been able to dig up information on unlocking Date/Time, EnergySaver, Network, Printing, TimeMachine....the only one that I'm stuck at is Location Services under Security&Privacy>Privacy.
I'd be happy if I could find a way to unlock all of Privacy even just so end users can remove approved apps from location services. I've tried multiple security authorizationdb writes and only have gone as far as getting the "System Preferences is trying to modify an encrypted disk" prompt.
I was able to get that far by using these:
security authorizationdb write system.preferences.SecurityPrivacy allow
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.security allow
security authorizationdb write system.preferences.security.remotepair allow
Can't get pass the encrypted disk, tho I've tried these:
security authorizationdb write com.apple.DiskManagement.reserverKEK allow
security authorizationdb write system.services.directory.configure allow
I'm using this as reference of possible authorization rights:
http://www.dssw.co.uk/reference/authorization-rights/index.html
Posted on 01-29-2019 05:48 AM
@normanchan did you ever find a solution to unlocking the encrypted disk? i.e. solving the final pop up "System Preferences is trying to modify an encrypted disk"
Thanks in advance
Posted on 03-27-2020 11:06 AM
@jsilverman29 @normanchan I'm attemping to unlock Security and Privacy on macOS Mojave but the following didn't seem to do anything?
security authorizationdb write system.preferences.SecurityPrivacy allow
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.security allow
Am I doing something wrong ? Does order matter when running those ?
Posted on 03-30-2020 05:45 AM
That's the old way now! Try using this
https://github.com/jamf/PPPC-Utility
Posted on 03-30-2020 06:56 AM
@Chris_Hafner I have used the PPPC Utility before. Great tool. What exactly would I load into the PPPC Utility? System preferences ? Then run those commands? thank you for the clarification!!
Posted on 03-30-2020 07:44 AM
Sorry, I'm beating around the bush. Apple "really" doesn't want that to work that way anymore. At least, not with the security preference pane. However, this thread might point you in the direction you're looking for. https://github.com/mathiasbynens/dotfiles/issues/849
Posted on 03-31-2020 08:49 AM
Also @Chuey I didn't answer your question directly. Sorry about that. The security and privacy pane is now generally locked down to keep us, admins, and others from doing just this. There is no simple plist that can be edited by something like defaults write to achieve what you're asking. They [Apple] want everything (Each security item) to be very discrete, and specifically locked or unlocked.
Posted on 03-31-2020 10:23 AM
@Chris_Hafner That is awful to hear. HAHA, having the ability as an admin to lock/unlock things is nice. So I guess I'm stuck and there is no real solution any longer?
Posted on 03-31-2020 10:32 AM
It's a balance. Some of the things we can preset with profiles (PPPC Utility) and the rest is educating the users on how to manage their access to things like cameras or microphone. Was there a specific issue you wanted to solve?
Posted on 04-01-2020 08:40 AM
@Chris_Hafner Right now most things I can whitelist with PPPC Utility i believe but I hate that you cannot allow screen recording and only deny. I wish they would give us the ability to allow in future. Some users said they needed to allow for google meets to share their screen.
Posted on 04-01-2020 09:08 AM
The preference pane does not need to be unlocked to allow (check off) apps in Screen Recording, Camera, Microphone, and a few other sections. You can make changes in these panes as a non admin user.
Posted on 04-02-2020 05:41 AM
@adamcodega So if I'm understanding correctly some tabs (Camera, Mic) will not be greyed out but others will? Such as accessibility, full disk access, and location services ( as an example) ?
Posted on 04-02-2020 07:27 AM
@Chuey Yes.
Posted on 06-02-2021 03:23 PM
Does it matter which version of application is installed? so the screen capture setting "let standard users approve" over PPPC will still work if i update skype for business for example but the PPPC profile was created with old version