Time Machine for standard users

catfeetstop
Contributor II

Is there a way to allow a standard, non admin user to use Time Machine if they want? Right now, they have to unlock the preference pane to setup Time Machine.

Jamie Bell
Apple Technology Administrator
The Westminster Schools
Ph: 404-609-6345

10 REPLIES 10

bentoms
Release Candidate Programs Tester

I'm not sure if this will help, but the script in the link edits /etc/authorization to allow all users to unlock each secure preference pane..

So, if you're looking them down.. this may help.

http://macmule.com/2010/11/18/unlock-each-secure-system-preference-allow-all-users-to-unlock/

easyedc
Valued Contributor II

Out of curiosity, has anyone tried @bentoms script lately? I have recently had a need to do such a thing, and i couldn't get it to work on a test box, and wondered if there was a config change under 10.9 blocking this?

bentoms
Release Candidate Programs Tester

easyedc
Valued Contributor II

thanks @bentoms that did the trick. Der Flounder (and you!) are such great resources out here.

corbinmharris
Contributor

All our seniors take their MBP's with them upon graduation. We need them to back their data up before we wipe and re-image with a clean copy of 10.10.5.

!/bin/bash

This script will allow non-admins to enable time machine.

Open up parent authorization so it does not supersede child authorization

security authorizationdb write system.preferences allow

Open Printing Preference Pane

security authorizationdb write system.preferences.timemachine allow

Corbin

TylerC
New Contributor III

@corbinmharris Do you just put the two commands into a script and then deploy it? I just want users to be able to restore files and be able to control their time machines. This will not give them full system preferences correct?

Chris_Hafner
Valued Contributor II

@TylerC In short: Yes. Include those two lines in a script and your users (ALL USES of that unit) will have access to that preference pane, and nothing additional (i.e. network, etc). We include several more items in our FirstRun script such as:

security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.timemachine allow
security authorizationdb write system.preferences.energysaver allow
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.print.operator allow

TylerC
New Contributor III

In addition to the time machine preference pane they also need to be able to do file restores from it. Will this allow them to preform this task as-well?

I did see that you had a few printing options in there. Currently we are giving all users lpadmin privileges in order to manage printer settings. Would the use of this script work as -well?

Will this override my configuration profile restrictions then?

EDIT: Looks like it is working so far and not overwriting anything. I am going to test it some more and hopefully deploy it.

Chris_Hafner
Valued Contributor II

@TylerC Profiles should win any battle between them, but I don't have any conflicting profiles in production so... Also, this is part of a much broader First Run Script. When talking printer's I also include

# Add all users to dseditgroup and give all print privledges
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin
/usr/bin/defaults write /System/Library/LaunchAgents/com.apple.printuitool.agent.plist Disabled -bool YES
/usr/bin/defaults write /System/Library/LaunchAgents/com.apple.printuitool.agent.plist EnableTransactions -bool NO

# Expand print panel by default
/usr/bin/defaults write NSGlobalDomain PMPrintingExpandedStateForPrint -bool true
/usr/bin/defaults write NSGlobalDomain PMPrintingExpandedStateForPrint2 -bool true

# Expand save panel by default
/usr/bin/defaults write NSGlobalDomain NSNavPanelExpandedStateForSaveMode -bool true
/usr/bin/defaults write NSGlobalDomain NSNavPanelExpandedStateForSaveMode2 -bool true

Adding them to the lpadmin group also allows printer installation/management from non-System preferences locations, like print dialog boxes. That said, I haven't done a lot of experimentation on this lately. Perhaps these are redundant to a point.

(If some of you recognise these lines, they come from a FRScript developed over time by both Rich Trouton and John Wojda. As any good jamfAdmin, I've taken their FRScripts as a base and modified them for our environment.

hepvd
Contributor
/usr/bin/security authorizationdb write system.preferences.timemachine allow

Does not seems to work under Big Sur with M1 Macs, any known workaround ?