- Jamf Nation Community
- Products
- Jamf Pro
- Re: OS X Power User using the security command
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
OS X Power User using the security command
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2014 01:02 PM
I have been wanting to update my “Power User” https://jamfnation.jamfsoftware.com/discussion.html?id=5666 script for some time now to leverage the “security” command.
Using the info from Rich Trouton's http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/, I know how to allow access to specific system preferences.
For instance to allow non-admin users to modify the Date & Time prefs:
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allowThat works.
I also want to be able to undo this, like I was able to in my previous “Power User” script.
You would think this would work:
security authorizationdb write system.preferences.datetime denyThe command replies NO. :-(
Thoughts?
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2014 01:25 PM
You would think this would work:The command replies NO. :-(security authorizationdb write system.preferences deny
Good thing. If it worked, NO-ONE (including admins) would be able to use (or authorize to use) System Preferences.
You should save the original settings with
security authorizationdb read system.preferences > /path/to/saved/system.preferences.rightThen to reverse your changes:
security authorizationdb write system.preferences < /path/to/saved/system.preferences.rightOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2014 06:12 PM
I meant I would want to undo access to Date and Time.
security authorizationdb write system.preferences.datetime deny(Original post updated.)
Either way I get your point.
Lets assume the original settings have not been saved.
The power user has been given access to Date and Time. But now you want to revoke those privileges for non-admin users.
What security command mojo is needed for that?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-24-2014 08:04 AM
Lets assume the original settings have not been saved. The power user has been given access to Date and Time. But now you want to revoke those privileges for non-admin users.
Find a machine (or build one if needed) that still has the original rights definition.
Use `security authorizationdb read system.preferences.datetime` to read the right. Copy it to a file. Use it to restore the right definition on the modified machine.
I don't think I've modified that right on my machine, and it looks like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Date & Time preference pane.</string>
<key>created</key>
<real>404177905.02627999</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>404177905.02627999</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
</plist>Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-29-2014 06:59 AM
What I want to be able to do is to give non admin users access to a System pref, AND I also want to be able to undo that.
So what would be the best use of the "security authorizationdb" command to allow and then later deny access?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-29-2014 04:18 PM
I think I am over the "security authorizationdb" hurdle.
This is what I am successfully testing right now.
Authorize non-admin users (everyone) access to Energy Saver
security authorizationdb read system.preferences.energysaver > /tmp/system.preferences.energysaver.plist
defaults write /tmp/system.preferences.energysaver.plist group everyone
# This grants access to the "everyone" group. this could be any group.
security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plistRevoke non-admin users (everyone) access to Energy Saver
security authorizationdb read system.preferences.energysaver > /tmp/system.preferences.energysaver.plist
defaults write /tmp/system.preferences.energysaver.plist group admin
# This changes access back to admin only - effectively resetting it back to the default.
security authorizationdb write system.preferences.energysaver < /tmp/system.preferences.energysaver.plistMuch more testing needed, but this is huge progress.
Thanks Rich!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2014 04:35 PM
I know this thread is a little old, but i'm running in to the same issue. i cannot provide access to the energy saver preferences without admin permissions. i have tried the commands above and they all seem to work ok. however, when i login as a "standard" user i see the padlock on the energy saver settings.
please help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2014 06:00 AM
Dan, did you push out "security authorizationdb write system.preferences allow" before trying your commands?
Rich Trouton has an excellent write-up of this on his website:
http://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2016 05:17 PM
Sorry to resurrect a long-dead thread, but there's a one-line solution to this instead of writing temp files. Using "admin" instead of "deny" will give the desired effect of requiring administrator access again.
security authorizationdb write system.preferences.datetime admin
Hope that helps someone searching this thread.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-03-2016 03:20 PM
Hooray, @erikblack!
I'm trying to learn my way around authorizationdb, and your post answered a question that's been bugging me for along time.
Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2016 08:45 AM
Anyone get any luck with allowing the security preference pane access for non admin in El Capitan?
everything i am trying is not working
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2017 05:18 AM
@erikblack I know this is an old thread but I had to thank you for this. I always like a way to undo what I have done and this works.
@tkimpton I'm using El Capitan and the security authorizationdb write commands work just fine for me.
#!/bin/sh
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allowOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2017 12:36 PM
Happy to provide something useful! I get a lot of good information from these forums!
