Jamf Nation Community

samuellarsson · ‎03-08-2023

Hi,

I'm preparing deployment of the admin-by-request tool Privileges (https://github.com/SAP/macOS-enterprise-privileges), but I've run into a snag when I try to install it via Jamf.

So, the package that I've made has the .app, the LaunchDaemon and the PrivilegedHelperTool, all according to the documentation, and they all install fine. But when I run it the first time, I get the following prompt asking me for adminstrator credentials to install the PrivilegedHelperTool again:

If I enter them, it works as expected, but the problem is that I want a standard user to be able to install this without entering any admin credentials.

Has anyone encountered this problem? I don't understand why it wants to install it when I've already pre-installed it via my package.

sdagley · ‎03-08-2023

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

View solution in original post

sdagley · ‎03-08-2023

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

daniel_behan · ‎03-08-2023

I use Rich Trouton's AutoPkg recipe found here. It's also in the JAMF App Catalog in the Mac Apps Section.

samuellarsson · ‎03-09-2023

That was exactly what I was looking for, thank you!

Jason33 · ‎03-09-2023

I recall seeing somewhere that you can now control the time limit and Privileges will automatically demote the user back to Standard, is that correct? I think creating a config profile with the time limit set?

samuellarsson · ‎04-25-2023

@Jason33 The user can control the time limit, but only if they right click the Dock icon and press "Toggle Privileges". If you'd just press the Dock icon, the default time limit is used, which can be configured in a configuration profile.

Once the time limit is up, the user doesn't get automatically demoted. Instead they get asked if they still need the Admin role, and if so the timer gets reset.

daniel_behan · ‎04-25-2023

You can set the time limit in a configuration profile and script a LaunchDaemon to demote the user when the timer is up. You can use and modify a script like Kandji's here. You can also use JAMF's MakeMeAnAdmin script and modify it to run

/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add or --remove

kevin_neely · ‎04-11-2024

I've been spending some time trying to get this to work and have run into a permissions issue. Working off of what I've read here: https://travellingtechguy.blog/sap-privileges-app/ and copying rtrouton's script from Git Hub every time I run the Composer packaged app and script it fails. I use Composer to package the app by itself and that installs fine, but have the problem with Install Helper. I then run the rtrouton script by itself on the laptop with only the app and I keep getting an error of: "cp:/Library/PrivilegeHelperTools/corp.sap.privileges.helper: Permission denied".

Anyone have an idea why? I am running this on 14.4.1, as a standard user, though I tried it as Admin it also failed.

daniel_behan · ‎04-11-2024

If you get the package from Rich Trouton's AutoPkg recipe, the appropriate helper tools should be present.

Jamf Nation Community

SAP Privileges Managed Installation