- Jamf Nation Community
- Products
- Jamf Pro
- Re: Unlocking Preference Panes For Non-Admin Users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Unlocking Preference Panes For Non-Admin Users
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-05-2012 01:39 AM
Greetings
I manage OSX clients (mostly Lion and now Mountain Lion) in a mixed environment, all OSX clients bound to Active Directory and and default users do not have Admin rights to OSX. I wanted to allow users to turn proxy settings on and off, change time zones and a few other things. For that they need admin rights. There must be a way to grant standard users access to these parts of the system without given them admin rights over the whole OSX environment.
I been trying a few things in Casper without success. I tracked down a script that looked very promising from the collective efforts of the contributors to MacMule:
http://macmule.com/2012/05/13/unlocking-preference-panes-for-non-admin-users-on-10-6-10-7/
I just can't get this script to work. It runs if I replace the double square brackets on the first IF statement to single ones, but a standard mobile user is not given any rights to make changes to proxy, timezone etc. Has anyone managed to use this script or got the same results by other means. I need the solution to be deliverable from Casper automatically.
Regards
Reply
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-05-2012 01:49 AM
Hi Victor,
Thanks for checking out my site :)
Anyways, can you try the script below? (I'm going to move all my scrtipts to GiTHub as the formatting on wordpress sucks).
#!/bin/bash
#Backup the original authorization file
sudo /bin/cp /etc/authorization /etc/authorization.original.backup
if [[ "$OS" == "10.6" ]]; then
#Modify /etc/authorization to allow any member of the everyone group access to unlock preferences
sudo /usr/libexec/PlistBuddy -c "Set :rights:system.preferences:group everyone" /etc/authorization
sudo /usr/libexec/PlistBuddy -c "Set :rights:system.preferences:shared true" /etc/authorization
echo "Given rights to the everyone group to unlock secure system preferences for OS $OS..."
else
# Unlock System Preferences for non admins.
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences:group everyone' /etc/authorization
# Unlock Accessibiltity preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.accessibility:group everyone' /etc/authorization
# Unlock Accounts preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.accounts:group everyone' /etc/authorization
# Unlock Date & Time preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.datetime:group everyone' /etc/authorization
# Unlock Energy Saver preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.energysaver:group everyone' /etc/authorization
# Unlock Network Settings preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group everyone' /etc/authorization
# Unlock Parental Controls preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.parental-controls:group everyone' /etc/authorization
# Unlock Print & Scan Preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.printing:group everyone' /etc/authorization
# Unlock Security Preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.security:group everyone' /etc/authorization
# Unlock Sharing Preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.sharing:group everyone' /etc/authorization
# Unlock Software Update Preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.softwareupdate:group everyone' /etc/authorization
# Unlock Startup Disk Preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.startupdisk:group everyone' /etc/authorization
# Unlock Time Machine preference pane
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.timemachine:group everyone' /etc/authorization
fiAlso, with 10.6 > 10.7 apple did change the method, therefore i assume it's been changed again with 10.8 :(
So 1st things, get it working on 10.7 via a policy... then we could possibly look at 10.8.
There are also some things that even though you can seemingly change them still require admin permissions.. such as changing wireless network preference order.. which is a bit odd.
Anyways, reply on my site & i'll be able to get you email.. we can then update here once we've got the 10.7 part working.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-23-2013 10:55 AM
I got them all to work on mountain lion except for the network one, any luck on that one?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-24-2013 02:50 PM
The Network prefs pane wants an additional right, which you can grant to everyone like this:
sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule allow' /etc/authorization
Be sure you really want to do this.
I talk about granting additional rights to non-admin users in this presentation from MacSysAdmin 2012: http://documentation2.macsysadmin.se/2012/video/Day2Session7.m4v
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2013 05:30 AM
I want to bring this up with another question.
I have seen the key system.preferences.security.remotepair that is important for us as we don't have any admin accounts for the users on our machines.
So we tried sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.security.remotepair:group everyone' /etc/authorization
But it failed with the error: Set: Entry, ":rights:system.preferences.security.remotepair:group", Does Not Exist
Any idea why this could be the reason?
Thanks a mill.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-09-2013 09:39 PM
Hi
I tried to run the script for mountain Lion, it unlock the printing preference, but when i click to add a printer, prompt for Print Administrator username and password menu to key in. how do allow Managed,mobile account to add the printer without admin password
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-11-2013 09:11 AM
kiruarch - http://support.apple.com/kb/HT3511
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-04-2014 08:45 AM
I did the command below on a 10.7.5 machine and it doesn't change anything. I still can't change date and time preferences with the standard student account. sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.datetime:group everyone' /etc/authorization
