Network System Preferences for Non-Admins

kendalljjohnson
Contributor II

I have found a number of older discussions asking for a way to allow non-admins the ability to manage individual system preferences but I'm not having luck on utilizing them on 10.13 (did not try all recent macOS major releases). Hoping to find something that can apply to machines running macOS 10.10-10.13.

Does anyone have a up-to-date script or configuration profile to all non-admin users (not sure if it matters but they are also AD mobile users) to control Network System Preferences? Specifically hoping to allow non-admin users to be able to remove remembered networks.

When trying this process I get an error: bash: /tmp/system.preferences.plist: Permission denied

1 ACCEPTED SOLUTION

boberito
Valued Contributor
security authorizationdb write system.preferences.network allow
security authorizationdb write system.services.systemconfiguration.network allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

These are the lines I have in a larger script that unlocks a lot more but this unlocks the Network System Preference.

View solution in original post

18 REPLIES 18

boberito
Valued Contributor
security authorizationdb write system.preferences.network allow
security authorizationdb write system.services.systemconfiguration.network allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

These are the lines I have in a larger script that unlocks a lot more but this unlocks the Network System Preference.

Hi. I tried using those and it indeed unlocked network but after I make a change and hit OK it will ask me for the admin logon.

Hi,
Did anybody find a way to allow this on Monterey or Ventura?

damnlyons
New Contributor

Yes! So in my testing, I was previously able to get it to work by running:

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

However, on a whim I decided to try running ONLY the following command on a freshly imaged Monterey machine:

/usr/bin/security authorizationdb write com.apple.wifi allow

This gave me complete access to all network settings (not just wifi). To be honest, this isn't what I was hoping for. I'd really like to be able to JUST allow standard users to be able to remove SSIDs, and nothing else in the network settings. However, I'm just not sure how to get that granular. All that being said, if you run the above command, you will most certainly be able to modify any and all network settings as a standard user, for better or worse. Hope this helps!

Thanks for this!

I am attempting to unlock date/time settings in Ventura 13.0 but it does not seem to work this way:

/usr/bin/security authorizationdb write system.preferences.datetime allow 

also attempted:

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow

 

Did the datetime modifier change in Ventura, possibly?  I haven't found anything about it yet.

Muzaffar
New Contributor II

I am also facing same issue can someone found solution for this issue.

kendalljjohnson
Contributor II

@boberito This looks to the the trick, thanks!

obing
New Contributor III

@boberito by the same token, is there a way to use authorizationdb to allow user to have access to date and time system pref? Which script in your GH is the larger script you speak of?

boberito
Valued Contributor

Some of this maybe doesn't work. But it runs and unlocks a lot of system preferences. Sort of makes people a power user like Windows if you will.

#!/bin/sh

spctl --master-disable 

#system preferences
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.network allow
security authorizationdb write system.preferences.accessibility allow
security authorizationdb write system.preferences.energysaver allow
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.timemachine allow
security authorizationdb write system.preferences.network allow
security authorizationdb write system.preferences.security allow
security authorizationdb write system.services.systemconfiguration.network allow


#Printing
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.printingmanager allow
security authorizationdb write system.print.admin allow
security authorizationdb write system.print.operator allow


#potential force restart and shutdown if other users logged in
security authorizationdb write system.restart allow
security authorizationdb write system.shutdown allow

#App store
security authorizationdb write system.install.app-store-software allow

#DVD Player
security authorizationdb write system.device.dvd.setregion allow
security authorizationdb write system.device.dvd.setregion.chage allow
security authorizationdb write system.device.dvd.setregion.initial allow
security authorizationdb write system.device.dvd.setregion.change.comment allow
security authorizationdb write system.device.dvd.setregion.change.change allow
security authorizationdb write system.device.dvd.setregion.initial.class allow
security authorizationdb write system.device.dvd.setregion.change.class allow
security authorizationdb write system.device.dvd.setregion.change.comment allow
security authorizationdb write system.device.dvd.setregion.change.group allow
security authorizationdb write system.device.dvd.setregion.change.group allow
security authorizationdb write system.device.dvd.setregion.change.shared allow

#Groups needed to be in for things to unlock
USERNAME=`who |grep console| awk '{print $1}'`

dseditgroup -o edit -a $USERNAME -T group _appstore
dseditgroup -o edit -a $USERNAME -T group lpadmin

/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

## Unload locationd
launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist

## Write enabled value to locationd plist
defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -int 1
/usr/libexec/PlistBuddy -c "Set :com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework:Authorized true" /var/db/locationd/clients.plist

## Fix Permissions for the locationd folder
chown -R _locationd:_locationd /var/db/locationd

## Reload locationd
launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

exit 0

boberito
Valued Contributor

As for fixing the Date and Time. So we have an 802.1x network and students can't get on the network if the date and time is way off which happens sometimes if they let their computer run out of power too far and sit out of power for a while. They don't realize that the date and time is waaaay off, just that they can't get on the network "my wifi is broke". And even with all of that set it doesn't seem like they always have access to be able to fix it. Plus they don't realize it's off.

So I set a policy with a script to run every login and make it available offline. It uses Pashua(https://www.bluem.net/en/projects/pashua/) to create a dialog box so that the standard user can set the date and time. Then it restarts the computer(not required).

You could set this as a Self Service policy or just keep it the same as a login policy.

#!/bin/sh

#Runs every login. If the date and time are way off, then it brings up the Pashua dialog to allow the user to adjust the date and time

#put Pashua where ever you want
pashuapath="/Applications/Pashua.app/Contents/MacOS/Pashua"

pashua_run() {

    # Write config file
    local pashua_configfile=`/usr/bin/mktemp /tmp/pashua_XXXXXXXXX`
    echo "$1" > "$pashua_configfile"

    if [ "" = "$pashuapath" ]
    then
        >&2 echo "Error: Pashua could not be found"
        exit 1
    fi

    # Get result
    local result=$("$pashuapath" "$pashua_configfile")

    # Remove config file
    rm "$pashua_configfile"

    oldIFS="$IFS"
    IFS=$'
'

    # Parse result
    for line in $result
    do
        local name=$(echo $line | sed 's/^([^=]*)=.*$/1/')
        local value=$(echo $line | sed 's/^[^=]*=(.*)$/1/')
        eval $name='$value'
    done

    IFS="$oldIFS"
}

REFERENCEDATE=$(date -r /System/Library/CoreServices/XProtect.bundle +%Y%m%d)
CURRENTSYSTEMDATE=$(date +%Y%m%d)

if [ "$CURRENTSYSTEMDATE" -ge "$REFERENCEDATE" ]; then 
    exit 0
else 
    echo "Going into one-time clock set..."

conf="
# Set window title
*.title = Date and Time
*.floating = 1

img.type = image
img.x = 0
img.y = 125
img.maxwidth = 50
img.maxheight = 50
img.path = /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertNoteIcon.icns

# Message
txt.type = text
txt.default = Your current date & time is incorrect. This will result in problems when you are connecting to the network. Your computer will restart when you close the window or click Ok.
txt.width = 215
txt.x = 60
txt.y = 110

# Date and time picker
d.type = date
d.label = Please set the Date and Time
d.textual = 1
d.date = 1
d.time = 1
"
    pashua_run "$conf" "$customLocation"

    newmonth=$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $2 }')
    newday=$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $3 }')
    newyear=$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $1 }' | cut -c 3-)
    UserSetDate="$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $2 }'):$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $3 }'):$(echo $d | awk '{ print $1 }' | awk -F "-" '{ print $1 }' | cut -c 3-)"
    UserSetClock=$(echo $d | awk '{ print $2 }')

    systemsetup -setusingnetworktime off
    systemsetup -setdate $UserSetDate
    systemsetup -settime $UserSetClock
    shutdown -r NOW
fi

noahdowd
Contributor

Is there a good way to check for these settings like in an Extension Attribute?
Even though it looks like XML when I run the command manually, security authorizationdb read system.services.systemconfiguration.network only seems to pipe "YES (0)" to xmllint regardless of whether it's been modified or not.

noahdowd
Contributor

Oh nm. I got it with grep and awk.

snovak
Contributor

@noahdowd What grep/awk did you end up doing for this? I'm looking to make some EA's but I think that "YES (0)" is causing output issues.

#!/bin/bash

GROUP=`security authorizationdb read system.services.systemconfiguration.network | grep array -A1 | grep string | cut -d'>' -f2 | cut -d'<' -f1`

echo "<return>$GROUP</return>"

exit 0

Got it:

#!/bin/bash

GROUP=`security authorizationdb read system.services.systemconfiguration.network 2> /dev/null | grep array -A1 | grep string | cut -d'>' -f2 | cut -d'<' -f1`

echo "<return>$GROUP</return>"

exit 0

noahdowd
Contributor

@snovak Oh cool. Yeah mine is similar but no cut:

#!/bin/bash

result="No"

systemPrefsStatus="$(/usr/bin/security authorizationdb read system.preferences | xmllint --format - | grep -A 2 '<key>rule</key>' | grep '<string>' | awk -F '>|<' '{print $3}')"
echo "$systemPrefsStatus"
if [[ $systemPrefsStatus == "allow" ]]; then
    networkPrefStatus=$(/usr/bin/security authorizationdb read system.preferences.network | xmllint --format - | grep -A 2 "<key>rule</key>" | grep "<string>" | awk -F ">|<" '{print $3}')
    echo "$networkPrefStatus"
    if [[ $networkPrefStatus == "allow" ]]; then
        networkConfStatus=$(/usr/bin/security authorizationdb read system.services.systemconfiguration.network | xmllint --format - | grep -A 2 "<key>rule</key>" | grep "<string>" | awk -F ">|<" '{print $3}')
        echo "$networkConfStatus"
        if [[ $networkConfStatus == "allow" ]]; then
            result="Yes"
        fi
    fi
fi

echo "<result>$result</result>"
exit 0

monaronyc
Contributor

@noahdowd just curious... we're looking for something to unlock the Energy Saver preferences. if we wanted to script this from yours for just the Energy Saver prefs, To make it easy, would we just rename everything on your script to from network to energysaver?

Chuey
Contributor III

@boberito Are you able to unlock Security & Privacy Pane for non-admins on Mojave and later? I'm attempting with:

security authorizationdb write system.preferences.SecurityPrivacy allow
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.security allow

But doesn't appear to be working. Any thoughts on this ?

thanks

gullik
New Contributor

Trying to create an option to reverse the admin privileges that have been granted to standard users. Seemed like a find and replace would do the trick on boberito's original script, i.e.:

security authorizationdb write system.preferences.network deny
security authorizationdb write system.services.systemconfiguration.network deny
/usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES

The admin privileges remain in place even after a restart. 6005 appears to be a generic scripting error for a bad argument. (See attached screen shot of the log summary)

"Deny" would appear to be a valid argument to pass here (cf. R. Trouton's guide below)
https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/?scrlybrkr=e43a47de

@Chuey: It would appear that we are barking up similar trees.

Scott_Conway
New Contributor III

Did you ever find out how to do the reverse command? I have read that "deny" won't (and shouldn't) work because it would make it so no one (not even admins) could unlock the preference. I have tried instead

security authorizationdb write system.preferences.energysaver admin

security authorizationdb write system.preferences.energysaver authenticate-admin

Both write properly, but the energy saving preferences remain unlocked