Using Privileges.app for Mac Admin Elevation

rickwhois
Contributor

Has anyone used the open source code for this app?
https://github.com/SAP/macOS-enterprise-privileges

I really like this app, just wished I had some time to figure out how to program it to ONLY elevate for 30 minutes when a user Requests Privileges. I know you can right click and toggle it, but I'd like to only have the 30 minute elevation for the main window request.

22 REPLIES 22

mack525
Contributor II

I have this application on my list of follows in Git. i would think the time is controlled and monitored via a plist?.. i might be wrong. I have not packaged or deployed it in our environment, i am curious to know what others have done with this as well @rickwhois

adamcodega
Valued Contributor

To change the options you'd have to change the source code, so that only the times leading up to your preferred time are available. It looks like it's here, but I do not know what I'm doing.

However, I wanted to reply because I think you'd be better off using Self Service. Since you already have UX available through Self Service, it may be better to use the more traditional Jamf method.

Interestingly enough, elevating the user is the easy part.. /usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin. What becomes a bigger task is putting the LaunchDaemon in place to remove admin rights after a time period. Using a LaunchDaemon is safer as it will run independent of whether the Mac or online or can talk to your JSS at the time.

You'll see things have evolved over time, so check out the more recent posts. I will point out I think it's a better idea to use Self Service's built-in notification/feedback options when needed rather than trying to use AppleScript etc.

rickwhois
Contributor

Thanks for commenting @adamcodega I agree completely. Having it as a Self Service item is my most preferred option as I can check time stamps and see what user is elevating. For the majority of elevation requests, I'm actually using a variation of this python elevation script. https://github.com/kc9wwh/MakeMeAdminPy

I require users to log into Self Service so they have to be online in order to use the scripted elevation policy. I'm interested in modifying the Privileges.app so that I can offer an offline temporary elevation for a smaller subset of users. I'll keep poking around at the source. I suppose another option is to make an offline policy and remove the login requirement In Self Service.

LRZ_Jamf
Contributor

@rickwhois "make policy offline available" won't work for SelfService Policies. Thats what I had to learn recently.

We also have some powerusers who need adminrights while they are offline, so I'm looking into finding a temporary Admin solution which works offline aswell.
Do you have an idea about that?

Cheers,
@bofh

rickwhois
Contributor

@LRZ_Jamf

Shortly after I posted last, I came across a recent post from TravellingTechGuy and he has a good solution (in testing phase) that utilizes an offline policy to do periodic checks to ask the user if they still need admin privs. I'm looking into this a a viable alternative for a small subset of users that may not have access to internet all of the time.
https://travellingtechguy.eu/sap-privileges-app/

mack525
Contributor II

@rickwhois Great Find! He has some good solutions on that site.

denmoff
Contributor III

This looks like a great solution since the Self Service MakeMeAdmin policy that i've been using is not an ideal solution when it comes to MacBooks that need to connect to a wifi hotspot that requires installing an 802.11x profile to connect. I'd much rather have a local solution like this. But my concern is that it is available to any user that logs into the device. I would need to restrict the app to only work with specific user accounts.

mack525
Contributor II

@denmoff I can assume those profiles are not something within your Org? hmmm.. What do you mean by any user that logs into the device? I was under the assumption that once this runs and the user logs off or reboots, it would demote back to a standard account. I have yet to test but you do raise a good test case.

denmoff
Contributor III

@mack525 In most cases, our users have one to one devices, but i don't know that i like that ANY standard user could run the Privileges app and be promoted to admin. Maybe the user uses the Privileges app and creates a standard user for a student aid or maybe we're using an authenticated login system that creates a standard user on login. That student aid or authenticated user would then be able to run the Privileges app and become admin. With the Self Service policy, we have the MakeMeAdmin policy restricted to device AND user.

mack525
Contributor II

@denmoff ahh understood.

mm2270
Legendary Contributor III

I wanted to point out some stuff about this Privileges.app that might be useful. As mentioned in the description on the github page, it has a command line option that can also be used to add/remove people from the admin group. What's cool about this is the command line tool, called PrivilegesCLI, can be used without having the full application present. All that's really needed are 2 things added to the Mac - the LaunchDaemon, called corp.sap.privileges.helper.plist and the actual privileged helper tool, located at /Library/PrivilegedHelperTools/corp.sap.privileges.helper

once these 3 items are in place - the LaunchDaemon, the Helper tool and the CLI tool, you can remove/add the current user to the admin group with a simple command like:

/path/to/PrivilegesCLI --remove

or

/path/to/PrivilegesCLI --add

I tested this by copying the PrivilegesCLI into /usr/local/bin/, then deleting the entire Privileges.app from the Mac, and ran some tests, and it works!

This might be a good approach to use for a simple way to add and remove users' admin rights. I can see this working in a simple script that can be called as the current user.

LRZ_Jamf
Contributor

@rickwhois nice find!

Actually I implemented that now, with some differences.
The suggested implementation would trigger a policy call all 10 Minutes, even if there are no local Admin rights. That would result in 99% useless requests from every client which has this.
And there's the TCC Limitation, so I built it like this:

  • default Privileges.app built by autopkg
  • additional package which contains:
    LaunchDaemon 1: fires script /usr/local/checkPrivileges.sh
    LaunchDaemon 2: fires jamf policy -event checkPrivileges, triggers on /tmp/checkPrivileges
    checkPrivileges.sh: checks if admin rights where given by privileges.app. if yes, checks for how long, if longer then X, touch /tmp/checkPrivileges

  • a configuration profile with TCC settings for the jamf binary and Finder

  • checkPrivileges Policy (script): Ask user if admin rights are still required (timeout 600 seconds), if no revoke them. If yes do nothing.

If you want to, I can upload the scripts + LaunchDaemons.

Cheers,
@bofh

mack525
Contributor II

@LRZ_Jamf Nice workflow. Sure. Upload them, Sharing is caring :)

rickwhois
Contributor

@LRZ_Jamf cool! sure if you care to share that'd be helpful!

LRZ_Jamf
Contributor

@rickwhois Checkout https://github.com/ChrOst/PrivilegesHelper

I hope this helps other guys :-)

Cheers,
@bofh

MMartin1
New Contributor II

Does anyone have a step by step with screenshots???

mack525
Contributor II

@MMartin1 I believe this may have been stated but https://travellingtechguy.eu/sap-privileges-app/

PE2000
Contributor

Are you guys deploying this app to one to one machine?
Or in lab or public machines?

mostlymac
New Contributor

This is an older thread, but I was inspired by LRZ_Jamf to write this tool to help with managing Privileges usage in our org. It is similar, but does some extra logging. I thought it might be useful for others that find this thread in the future https://github.com/sgmills/PrivilegesDemoter 

LaMantia
New Contributor III

Very clean. Nice work, @mostlymac ! We have BeyondTrust at my company but this can come in handy. I'd rather have this. 🙂 

user-ysTXLNfErh
New Contributor

@mostlymac Great work on this! I’ve followed your repo and would like yo explore using this. 

@LaMantia using beyondtrust in our environment as well. I’m thinking of using a local group tied to a sudo access policy. Not sure if you were already working on some configurations. 

Baravis
New Contributor III

We started using SGMills' privilege demoter on our Jamf server + devices.  It's a really clean way to nag the user to demote privileges, and requires minimal effort to implement: https://github.com/sgmills/PrivilegesDemoter