Posted on 06-18-2018 10:58 AM
I have found a number of older discussions asking for a way to allow non-admins the ability to manage individual system preferences but I'm not having luck on utilizing them on 10.13 (did not try all recent macOS major releases). Hoping to find something that can apply to machines running macOS 10.10-10.13.
Does anyone have a up-to-date script or configuration profile to all non-admin users (not sure if it matters but they are also AD mobile users) to control Network System Preferences? Specifically hoping to allow non-admin users to be able to remove remembered networks.
When trying this process I get an error: bash: /tmp/system.preferences.plist: Permission denied
Solved! Go to Solution.
Posted on 06-18-2018 11:25 AM
security authorizationdb write system.preferences.network allow
security authorizationdb write system.services.systemconfiguration.network allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO
These are the lines I have in a larger script that unlocks a lot more but this unlocks the Network System Preference.
Posted on 06-18-2018 11:25 AM
security authorizationdb write system.preferences.network allow
security authorizationdb write system.services.systemconfiguration.network allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO
These are the lines I have in a larger script that unlocks a lot more but this unlocks the Network System Preference.
Posted on 04-19-2022 06:53 PM
Hi. I tried using those and it indeed unlocked network but after I make a change and hit OK it will ask me for the admin logon.
Posted on 09-22-2022 12:13 AM
Hi,
Did anybody find a way to allow this on Monterey or Ventura?
09-30-2022 03:03 PM - edited 09-30-2022 03:18 PM
Yes! So in my testing, I was previously able to get it to work by running:
/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow
However, on a whim I decided to try running ONLY the following command on a freshly imaged Monterey machine:
/usr/bin/security authorizationdb write com.apple.wifi allow
This gave me complete access to all network settings (not just wifi). To be honest, this isn't what I was hoping for. I'd really like to be able to JUST allow standard users to be able to remove SSIDs, and nothing else in the network settings. However, I'm just not sure how to get that granular. All that being said, if you run the above command, you will most certainly be able to modify any and all network settings as a standard user, for better or worse. Hope this helps!
11-01-2022 11:26 AM - edited 11-01-2022 11:32 AM
Thanks for this!
I am attempting to unlock date/time settings in Ventura 13.0 but it does not seem to work this way:
/usr/bin/security authorizationdb write system.preferences.datetime allow
also attempted:
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
Did the datetime modifier change in Ventura, possibly? I haven't found anything about it yet.
Posted on 12-20-2022 10:15 PM
I am also facing same issue can someone found solution for this issue.
Posted on 06-18-2018 11:50 AM
@boberito This looks to the the trick, thanks!
Posted on 06-18-2018 03:23 PM
@boberito by the same token, is there a way to use authorizationdb to allow user to have access to date and time system pref? Which script in your GH is the larger script you speak of?
Posted on 06-18-2018 04:34 PM
Some of this maybe doesn't work. But it runs and unlocks a lot of system preferences. Sort of makes people a power user like Windows if you will.
#!/bin/sh
spctl --master-disable
#system preferences
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.network allow
security authorizationdb write system.preferences.accessibility allow
security authorizationdb write system.preferences.energysaver allow
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.timemachine allow
security authorizationdb write system.preferences.network allow
security authorizationdb write system.preferences.security allow
security authorizationdb write system.services.systemconfiguration.network allow
#Printing
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.printingmanager allow
security authorizationdb write system.print.admin allow
security authorizationdb write system.print.operator allow
#potential force restart and shutdown if other users logged in
security authorizationdb write system.restart allow
security authorizationdb write system.shutdown allow
#App store
security authorizationdb write system.install.app-store-software allow
#DVD Player
security authorizationdb write system.device.dvd.setregion allow
security authorizationdb write system.device.dvd.setregion.chage allow
security authorizationdb write system.device.dvd.setregion.initial allow
security authorizationdb write system.device.dvd.setregion.change.comment allow
security authorizationdb write system.device.dvd.setregion.change.change allow
security authorizationdb write system.device.dvd.setregion.initial.class allow
security authorizationdb write system.device.dvd.setregion.change.class allow
security authorizationdb write system.device.dvd.setregion.change.comment allow
security authorizationdb write system.device.dvd.setregion.change.group allow
security authorizationdb write system.device.dvd.setregion.change.group allow
security authorizationdb write system.device.dvd.setregion.change.shared allow
#Groups needed to be in for things to unlock
USERNAME=`who |grep console| awk '{print $1}'`
dseditgroup -o edit -a $USERNAME -T group _appstore
dseditgroup -o edit -a $USERNAME -T group lpadmin
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO
## Unload locationd
launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
## Write enabled value to locationd plist
defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -int 1
/usr/libexec/PlistBuddy -c "Set :com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework:Authorized true" /var/db/locationd/clients.plist
## Fix Permissions for the locationd folder
chown -R _locationd:_locationd /var/db/locationd
## Reload locationd
launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist
exit 0
Posted on 06-18-2018 04:42 PM
As for fixing the Date and Time. So we have an 802.1x network and students can't get on the network if the date and time is way off which happens sometimes if they let their computer run out of power too far and sit out of power for a while. They don't realize that the date and time is waaaay off, just that they can't get on the network "my wifi is broke". And even with all of that set it doesn't seem like they always have access to be able to fix it. Plus they don't realize it's off.
So I set a policy with a script to run every login and make it available offline. It uses Pashua(https://www.bluem.net/en/projects/pashua/) to create a dialog box so that the standard user can set the date and time. Then it restarts the computer(not required).
You could set this as a Self Service policy or just keep it the same as a login policy.
#!/bin/sh
#Runs every login. If the date and time are way off, then it brings up the Pashua dialog to allow the user to adjust the date and time
#put Pashua where ever you want
pashuapath="/Applications/Pashua.app/Contents/MacOS/Pashua"
pashua_run() {
# Write config file
local pashua_configfile=`/usr/bin/mktemp /tmp/pashua_XXXXXXXXX`
echo "$1" > "$pashua_configfile"
if [ "" = "$pashuapath" ]
then
>&2 echo "Error: Pashua could not be found"
exit 1
fi
# Get result
local result=$("$pashuapath" "$pashua_configfile")
# Remove config file
rm "$pashua_configfile"
oldIFS="$IFS"
IFS=$'
'
# Parse result
for line in $result
do
local name=$(echo $line | sed 's/^([^=]*)=.*$/1/')
local value=$(echo $line | sed 's/^[^=]*=(.*)$/1/')
eval $name='$value'
done
IFS="$oldIFS"
}
REFERENCEDATE=$(date -r /System/Library/CoreServices/XProtect.bundle +%Y%m%d)
CURRENTSYSTEMDATE=$(date +%Y%m%d)
if [ "$CURRENTSYSTEMDATE" -ge "$REFERENCEDATE" ]; then
exit 0
else
echo "Going into one-time clock set..."
conf="
# Set window title
*.title = Date and Time
*.floating = 1
img.type = image
img.x = 0
img.y = 125
img.maxwidth = 50
img.maxheight = 50
img.path = /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertNoteIcon.icns
# Message
txt.type = text
txt.default = Your current date & time is incorrect. This will result in problems when you are connecting to the network. Your computer will restart when you close the window or click Ok.
txt.width = 215
txt.x = 60
txt.y = 110
# Date and time picker
d.type = date
d.label = Please set the Date and Time
d.textual = 1
d.date = 1
d.time = 1
"
pashua_run "$conf" "$customLocation"
newmonth=$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $2 }')
newday=$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $3 }')
newyear=$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $1 }' | cut -c 3-)
UserSetDate="$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $2 }'):$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $3 }'):$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $1 }' | cut -c 3-)"
UserSetClock=$(echo $d | awk '{ print $2 }')
systemsetup -setusingnetworktime off
systemsetup -setdate $UserSetDate
systemsetup -settime $UserSetClock
shutdown -r NOW
fi
Posted on 04-16-2019 05:03 AM
Is there a good way to check for these settings like in an Extension Attribute?
Even though it looks like XML when I run the command manually, security authorizationdb read system.services.systemconfiguration.network
only seems to pipe "YES (0)" to xmllint regardless of whether it's been modified or not.
Posted on 04-16-2019 05:45 AM
Oh nm. I got it with grep and awk.
Posted on 02-12-2020 02:10 PM
@noahdowd What grep/awk did you end up doing for this? I'm looking to make some EA's but I think that "YES (0)" is causing output issues.
#!/bin/bash
GROUP=`security authorizationdb read system.services.systemconfiguration.network | grep array -A1 | grep string | cut -d'>' -f2 | cut -d'<' -f1`
echo "<return>$GROUP</return>"
exit 0
Got it:
#!/bin/bash
GROUP=`security authorizationdb read system.services.systemconfiguration.network 2> /dev/null | grep array -A1 | grep string | cut -d'>' -f2 | cut -d'<' -f1`
echo "<return>$GROUP</return>"
exit 0
Posted on 02-20-2020 08:30 AM
@snovak Oh cool. Yeah mine is similar but no cut:
#!/bin/bash
result="No"
systemPrefsStatus="$(/usr/bin/security authorizationdb read system.preferences | xmllint --format - | grep -A 2 '<key>rule</key>' | grep '<string>' | awk -F '>|<' '{print $3}')"
echo "$systemPrefsStatus"
if [[ $systemPrefsStatus == "allow" ]]; then
networkPrefStatus=$(/usr/bin/security authorizationdb read system.preferences.network | xmllint --format - | grep -A 2 "<key>rule</key>" | grep "<string>" | awk -F ">|<" '{print $3}')
echo "$networkPrefStatus"
if [[ $networkPrefStatus == "allow" ]]; then
networkConfStatus=$(/usr/bin/security authorizationdb read system.services.systemconfiguration.network | xmllint --format - | grep -A 2 "<key>rule</key>" | grep "<string>" | awk -F ">|<" '{print $3}')
echo "$networkConfStatus"
if [[ $networkConfStatus == "allow" ]]; then
result="Yes"
fi
fi
fi
echo "<result>$result</result>"
exit 0
Posted on 03-19-2020 10:18 AM
@noahdowd just curious... we're looking for something to unlock the Energy Saver preferences. if we wanted to script this from yours for just the Energy Saver prefs, To make it easy, would we just rename everything on your script to from network to energysaver?
Posted on 03-30-2020 08:58 PM
@boberito Are you able to unlock Security & Privacy Pane for non-admins on Mojave and later? I'm attempting with:
security authorizationdb write system.preferences.SecurityPrivacy allow
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.security allow
But doesn't appear to be working. Any thoughts on this ?
thanks
Posted on 04-21-2020 11:16 AM
Trying to create an option to reverse the admin privileges that have been granted to standard users. Seemed like a find and replace would do the trick on boberito's original script, i.e.:
security authorizationdb write system.preferences.network deny
security authorizationdb write system.services.systemconfiguration.network deny
/usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES
The admin privileges remain in place even after a restart. 6005 appears to be a generic scripting error for a bad argument. (See attached screen shot of the log summary)
"Deny" would appear to be a valid argument to pass here (cf. R. Trouton's guide below)
https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/?scrlybrkr=e43a47de
@Chuey: It would appear that we are barking up similar trees.
Posted on 06-03-2022 09:02 AM
Did you ever find out how to do the reverse command? I have read that "deny" won't (and shouldn't) work because it would make it so no one (not even admins) could unlock the preference. I have tried instead
security authorizationdb write system.preferences.energysaver admin
security authorizationdb write system.preferences.energysaver authenticate-admin
Both write properly, but the energy saving preferences remain unlocked