Setting SAP Privileges Preferences

ardrake
New Contributor III

First, thanks to @rtrouton for bringing us the Privileges app.

I'm trying to set the Dock Tile Timeout time via configuration profile, using the "DockToggleTimeout" .mobileconfig sample from GitHub. So far I haven't gotten the configuration profile to apply the setting.

I discovered that changing this setting from the Privileges app reflects in the corp.sap.privileges.plist in the user's profile (specifically in UsersmyuserLibraryContainerscorp.sap.privilegesDataLibraryPreferences), and so I changed the configuration profile to apply at the User level instead of Computer. However once the configuration profile was applied, the .plist file was not changed to reflect this change.

Any thoughts on what I might be doing wrong? This seems like it should be fairly straightforward.

1 ACCEPTED SOLUTION

rtrouton
Valued Contributor III

Right. By stopping the app from launching, the Toggle privileges option also does not work.

View solution in original post

9 REPLIES 9

ardrake
New Contributor III

Applying the configuration profile changes the .plist file in LibraryManaged Preferences. How do I make the app reference those preferences instead of those saved in the local profile?

rtrouton
Valued Contributor III

What are your expectations of what the DockToggleTimeout setting does? The reason I'm asking is that the DockToggleTimeout setting sets a fixed timeout, in minutes, for the Dock tile's Toggle Privileges command.

ec0a9219be9943e4952087221e757d0d

Otherwise, there is no time limit on the admin rights granted by Privileges.app. Admin rights are granted until some process (like running Privileges.app again) takes them away.

ardrake
New Contributor III

My hope was to set the DockToggleTimeout via configuration profile so that users are only given admin rights for that set amount of time by using the "Toggle privileges" option. I'd set a software restriction in Jamf to prevent the user from opening the app "normally" and giving them self indefinite admin rights, but perhaps that will also prevent the Privileges app from performing the toggle function.

rtrouton
Valued Contributor III

Right. By stopping the app from launching, the Toggle privileges option also does not work.

View solution in original post

bartlomiejsojka
Contributor
Contributor

Toggle privileges function is actually handled by the PrivilegesCLI, so you should be fine killing the exact process of Privileges leaving the CLI one intact. Of course if your end users figure out the CLI, they will be able to set themselves admins permanently anyway, but I guess all temporarily elevating solutions out there depend on some kind of a trust to your end users, right? 🤓.

Still, what you thought is possible with DockToggleTimeout is I think a quite common misconception — one I've initially shared as well when approaching the app for the very first time — and it's a shame there's no way to force the app to always enter the timeout mode and then even add a Reason prompt to the mix. The CP–configurable settings seem almost like excluding one another. There's a similar requests via PR on SAP's git, but it doesn't feel easy to provide feedback there without issues reporting. But this may change, as we have Rick here with us 😝.

Otherwise a great app with a simple, nice UX 👍🏼.

PhillyPhoto
Contributor III

Has anyone had success with the DockToggleTimeout in a profile? I made a profile with a few settings (see below), and I get prompted for a reason, and I have to authenticate, however it does not timeout after 1 minute. I also notice the icon does not change to the managed icon like it should according to the documentation.
3da1c72a4a974d0aa844f65242b84814

rtrouton
Valued Contributor III

@PhillyPhoto ,

What are your expectations of what the DockToggleTimeout setting does? The reason I'm asking is that the DockToggleTimeout setting sets a fixed timeout, in minutes, for the Dock tile's Toggle Privileges command.

ec0a9219be9943e4952087221e757d0d

If the expectation is that Privileges will time-out admin rights outside of using Toggle Privileges, that's not what will happen. Admin rights are granted until some process (like running Privileges again) takes them away.

Also, the DockToggleTimeout setting does not cause the managed icon to appear (this is mentioned in the documentation.) I haven't tried this particular combination before, but please try removing the DockToggleTimeout setting from the profile and see if you now get the managed icon.

PhillyPhoto
Contributor III

@rtrouton I don't know why it hasn't "clicked" before now, but I think I understand the purpose of the timeout. Is there a plan to add a "revert timeout" type setting in the future to have it built-in?

I removed the timeout, but I'm still not getting the managed icons. I do see that the right click toggle is completely disabled now, and I'm assuming that is because I require authentication and a reason so it can't be toggled quickly?

96094efa100747d29e8fcd01fb9761ec

fd14d6e6b91f4f3fae90f11244635d88

rtrouton
Valued Contributor III

The disabling of the Toggle privileges function is because either the ReasonRequired or the RequireAuthentication setting is being managed. If you refer to the documentation, you should see these notes along with the ReasonRequired and the RequireAuthentication sections:

  • Note: If setting ReasonRequired, the Toggle Privileges option is automatically disabled.
  • Note: If setting RequireAuthentication, the Toggle Privileges option is automatically disabled.