I'm not sure if this will help, but the script in the link edits /etc/authorization to allow all users to unlock each secure preference pane..
So, if you're looking them down.. this may help.
All our seniors take their MBP's with them upon graduation. We need them to back their data up before we wipe and re-image with a clean copy of 10.10.5.
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.timemachine allow
@TylerC In short: Yes. Include those two lines in a script and your users (ALL USES of that unit) will have access to that preference pane, and nothing additional (i.e. network, etc). We include several more items in our FirstRun script such as:
security authorizationdb write system.preferences allow security authorizationdb write system.preferences.datetime allow security authorizationdb write system.preferences.timemachine allow security authorizationdb write system.preferences.energysaver allow security authorizationdb write system.preferences.printing allow security authorizationdb write system.print.operator allow
In addition to the time machine preference pane they also need to be able to do file restores from it. Will this allow them to preform this task as-well?
I did see that you had a few printing options in there. Currently we are giving all users lpadmin privileges in order to manage printer settings. Would the use of this script work as -well?
Will this override my configuration profile restrictions then?
EDIT: Looks like it is working so far and not overwriting anything. I am going to test it some more and hopefully deploy it.
@TylerC Profiles should win any battle between them, but I don't have any conflicting profiles in production so... Also, this is part of a much broader First Run Script. When talking printer's I also include
# Add all users to dseditgroup and give all print privledges /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin /usr/bin/defaults write /System/Library/LaunchAgents/com.apple.printuitool.agent.plist Disabled -bool YES /usr/bin/defaults write /System/Library/LaunchAgents/com.apple.printuitool.agent.plist EnableTransactions -bool NO # Expand print panel by default /usr/bin/defaults write NSGlobalDomain PMPrintingExpandedStateForPrint -bool true /usr/bin/defaults write NSGlobalDomain PMPrintingExpandedStateForPrint2 -bool true # Expand save panel by default /usr/bin/defaults write NSGlobalDomain NSNavPanelExpandedStateForSaveMode -bool true /usr/bin/defaults write NSGlobalDomain NSNavPanelExpandedStateForSaveMode2 -bool true
Adding them to the lpadmin group also allows printer installation/management from non-System preferences locations, like print dialog boxes. That said, I haven't done a lot of experimentation on this lately. Perhaps these are redundant to a point.
(If some of you recognise these lines, they come from a FRScript developed over time by both Rich Trouton and John Wojda. As any good jamfAdmin, I've taken their FRScripts as a base and modified them for our environment.