Help

SAP Privileges Managed Installation

Go to solution
samuellarsson
New Contributor III

Posted on ‎03-08-2023 02:14 AM

Hi,

I'm preparing deployment of the admin-by-request tool Privileges (https://github.com/SAP/macOS-enterprise-privileges), but I've run into a snag when I try to install it via Jamf.

So, the package that I've made has the .app, the LaunchDaemon and the PrivilegedHelperTool, all according to the documentation, and they all install fine. But when I run it the first time, I get the following prompt asking me for adminstrator credentials to install the PrivilegedHelperTool again:

Screenshot 2023-03-08 at 11.03.08.png

 

If I enter them, it works as expected, but the problem is that I want a standard user to be able to install this without entering any admin credentials.

Has anyone encountered this problem? I don't understand why it wants to install it when I've already pre-installed it via my package.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎03-08-2023 04:57 AM

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

View solution in original post

8 REPLIES 8

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎03-08-2023 04:57 AM

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

Go to solution
daniel_behan
Contributor III

Posted on ‎03-08-2023 06:56 AM

I use Rich Trouton's AutoPkg recipe found here.  It's also in the JAMF App Catalog in the Mac Apps Section.

Go to solution
samuellarsson
New Contributor III

Posted on ‎03-09-2023 01:07 AM

That was exactly what I was looking for, thank you!

0 Kudos

Go to solution
Jason33
Contributor III

Posted on ‎03-09-2023 02:30 AM

I recall seeing somewhere that you can now control the time limit and Privileges will automatically demote the user back to Standard, is that correct? I think creating a config profile with the time limit set?

0 Kudos

Go to solution
samuellarsson
New Contributor III
In response to Jason33

Posted on ‎04-25-2023 05:17 AM

@Jason33 The user can control the time limit, but only if they right click the Dock icon and press "Toggle Privileges". If you'd just press the Dock icon, the default time limit is used, which can be configured in a configuration profile.

Once the time limit is up, the user doesn't get automatically demoted. Instead they get asked if they still need the Admin role, and if so the timer gets reset.

0 Kudos

Go to solution
daniel_behan
Contributor III

Posted on ‎04-25-2023 06:32 AM

You can set the time limit in a configuration profile and script a LaunchDaemon to demote the user when the timer is up.  You can use and modify a script like Kandji's here.  You can also use JAMF's MakeMeAnAdmin script and modify it to run 

/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add or --remove

Go to solution
kevin_neely
New Contributor III

Thursday

I've been spending some time trying to get this to work and have run into a permissions issue.  Working off of what I've read here: https://travellingtechguy.blog/sap-privileges-app/ and copying rtrouton's script from Git Hub every time I run the Composer packaged app and script it fails. I use Composer to package the app by itself and that installs fine, but have the problem with Install Helper. I then run the rtrouton script by itself on the laptop with only the app and I keep getting an error of: "cp:/Library/PrivilegeHelperTools/corp.sap.privileges.helper: Permission denied".

Anyone have an idea why? I am running this on 14.4.1, as a standard user, though I tried it as Admin it also failed.

0 Kudos

Go to solution
daniel_behan
Contributor III
In response to kevin_neely

Thursday

If you get the package from Rich Trouton's AutoPkg recipe, the appropriate helper tools should be present.