SAP Privileges Managed Installation

samuellarsson
New Contributor III

Hi,

I'm preparing deployment of the admin-by-request tool Privileges (https://github.com/SAP/macOS-enterprise-privileges), but I've run into a snag when I try to install it via Jamf.

So, the package that I've made has the .app, the LaunchDaemon and the PrivilegedHelperTool, all according to the documentation, and they all install fine. But when I run it the first time, I get the following prompt asking me for adminstrator credentials to install the PrivilegedHelperTool again:

Screenshot 2023-03-08 at 11.03.08.png

 

If I enter them, it works as expected, but the problem is that I want a standard user to be able to install this without entering any admin credentials.

Has anyone encountered this problem? I don't understand why it wants to install it when I've already pre-installed it via my package.

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

View solution in original post

6 REPLIES 6

sdagley
Esteemed Contributor II

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

daniel_behan
Contributor III

I use Rich Trouton's AutoPkg recipe found here.  It's also in the JAMF App Catalog in the Mac Apps Section.

samuellarsson
New Contributor III

That was exactly what I was looking for, thank you!

Jason33
Contributor III

I recall seeing somewhere that you can now control the time limit and Privileges will automatically demote the user back to Standard, is that correct? I think creating a config profile with the time limit set?

@Jason33 The user can control the time limit, but only if they right click the Dock icon and press "Toggle Privileges". If you'd just press the Dock icon, the default time limit is used, which can be configured in a configuration profile.

Once the time limit is up, the user doesn't get automatically demoted. Instead they get asked if they still need the Admin role, and if so the timer gets reset.

daniel_behan
Contributor III

You can set the time limit in a configuration profile and script a LaunchDaemon to demote the user when the timer is up.  You can use and modify a script like Kandji's here.  You can also use JAMF's MakeMeAnAdmin script and modify it to run 

/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add or --remove