SAP Privileges Managed Installation

samuellarsson
New Contributor III

Hi,

I'm preparing deployment of the admin-by-request tool Privileges (https://github.com/SAP/macOS-enterprise-privileges), but I've run into a snag when I try to install it via Jamf.

So, the package that I've made has the .app, the LaunchDaemon and the PrivilegedHelperTool, all according to the documentation, and they all install fine. But when I run it the first time, I get the following prompt asking me for adminstrator credentials to install the PrivilegedHelperTool again:

Screenshot 2023-03-08 at 11.03.08.png

 

If I enter them, it works as expected, but the problem is that I want a standard user to be able to install this without entering any admin credentials.

Has anyone encountered this problem? I don't understand why it wants to install it when I've already pre-installed it via my package.

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

View solution in original post

8 REPLIES 8

sdagley
Esteemed Contributor II

@samuellarsson Here's a guide on creating a Privileges installer package using Composer that will set up the helper tool during installation: https://travellingtechguy.blog/sap-privileges-app/

daniel_behan
Contributor III

I use Rich Trouton's AutoPkg recipe found here.  It's also in the JAMF App Catalog in the Mac Apps Section.

samuellarsson
New Contributor III

That was exactly what I was looking for, thank you!

Jason33
Contributor III

I recall seeing somewhere that you can now control the time limit and Privileges will automatically demote the user back to Standard, is that correct? I think creating a config profile with the time limit set?

@Jason33 The user can control the time limit, but only if they right click the Dock icon and press "Toggle Privileges". If you'd just press the Dock icon, the default time limit is used, which can be configured in a configuration profile.

Once the time limit is up, the user doesn't get automatically demoted. Instead they get asked if they still need the Admin role, and if so the timer gets reset.

daniel_behan
Contributor III

You can set the time limit in a configuration profile and script a LaunchDaemon to demote the user when the timer is up.  You can use and modify a script like Kandji's here.  You can also use JAMF's MakeMeAnAdmin script and modify it to run 

/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add or --remove

kevin_neely
New Contributor III

I've been spending some time trying to get this to work and have run into a permissions issue.  Working off of what I've read here: https://travellingtechguy.blog/sap-privileges-app/ and copying rtrouton's script from Git Hub every time I run the Composer packaged app and script it fails. I use Composer to package the app by itself and that installs fine, but have the problem with Install Helper. I then run the rtrouton script by itself on the laptop with only the app and I keep getting an error of: "cp:/Library/PrivilegeHelperTools/corp.sap.privileges.helper: Permission denied".

Anyone have an idea why? I am running this on 14.4.1, as a standard user, though I tried it as Admin it also failed.

If you get the package from Rich Trouton's AutoPkg recipe, the appropriate helper tools should be present.