Posted on 03-01-2019 10:52 AM
Has anyone used the open source code for this app?
I really like this app, just wished I had some time to figure out how to program it to ONLY elevate for 30 minutes when a user Requests Privileges. I know you can right click and toggle it, but I'd like to only have the 30 minute elevation for the main window request.
Posted on 03-01-2019 04:18 PM
I have this application on my list of follows in Git. i would think the time is controlled and monitored via a plist?.. i might be wrong. I have not packaged or deployed it in our environment, i am curious to know what others have done with this as well @rickwhois
Posted on 03-02-2019 07:55 AM
To change the options you'd have to change the source code, so that only the times leading up to your preferred time are available. It looks like it's here, but I do not know what I'm doing.
However, I wanted to reply because I think you'd be better off using Self Service. Since you already have UX available through Self Service, it may be better to use the more traditional Jamf method.
Interestingly enough, elevating the user is the easy part..
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin. What becomes a bigger task is putting the LaunchDaemon in place to remove admin rights after a time period. Using a LaunchDaemon is safer as it will run independent of whether the Mac or online or can talk to your JSS at the time.
You'll see things have evolved over time, so check out the more recent posts. I will point out I think it's a better idea to use Self Service's built-in notification/feedback options when needed rather than trying to use AppleScript etc.
Posted on 03-03-2019 04:12 AM
Thanks for commenting @adamcodega I agree completely. Having it as a Self Service item is my most preferred option as I can check time stamps and see what user is elevating. For the majority of elevation requests, I'm actually using a variation of this python elevation script. https://github.com/kc9wwh/MakeMeAdminPy
I require users to log into Self Service so they have to be online in order to use the scripted elevation policy. I'm interested in modifying the Privileges.app so that I can offer an offline temporary elevation for a smaller subset of users. I'll keep poking around at the source. I suppose another option is to make an offline policy and remove the login requirement In Self Service.
Posted on 03-11-2019 10:19 AM
@rickwhois "make policy offline available" won't work for SelfService Policies. Thats what I had to learn recently.
We also have some powerusers who need adminrights while they are offline, so I'm looking into finding a temporary Admin solution which works offline aswell.
Do you have an idea about that?
Posted on 03-11-2019 10:28 AM
Shortly after I posted last, I came across a recent post from TravellingTechGuy and he has a good solution (in testing phase) that utilizes an offline policy to do periodic checks to ask the user if they still need admin privs. I'm looking into this a a viable alternative for a small subset of users that may not have access to internet all of the time.
Posted on 03-11-2019 01:10 PM
Posted on 03-12-2019 07:43 AM
This looks like a great solution since the Self Service MakeMeAdmin policy that i've been using is not an ideal solution when it comes to MacBooks that need to connect to a wifi hotspot that requires installing an 802.11x profile to connect. I'd much rather have a local solution like this. But my concern is that it is available to any user that logs into the device. I would need to restrict the app to only work with specific user accounts.
Posted on 03-12-2019 08:10 AM
@denmoff I can assume those profiles are not something within your Org? hmmm.. What do you mean by any user that logs into the device? I was under the assumption that once this runs and the user logs off or reboots, it would demote back to a standard account. I have yet to test but you do raise a good test case.
Posted on 03-12-2019 08:27 AM
@mack525 In most cases, our users have one to one devices, but i don't know that i like that ANY standard user could run the Privileges app and be promoted to admin. Maybe the user uses the Privileges app and creates a standard user for a student aid or maybe we're using an authenticated login system that creates a standard user on login. That student aid or authenticated user would then be able to run the Privileges app and become admin. With the Self Service policy, we have the MakeMeAdmin policy restricted to device AND user.
Posted on 03-12-2019 08:34 AM
Posted on 03-12-2019 08:45 AM
I wanted to point out some stuff about this Privileges.app that might be useful. As mentioned in the description on the github page, it has a command line option that can also be used to add/remove people from the admin group. What's cool about this is the command line tool, called PrivilegesCLI, can be used without having the full application present. All that's really needed are 2 things added to the Mac - the LaunchDaemon, called
corp.sap.privileges.helper.plist and the actual privileged helper tool, located at
once these 3 items are in place - the LaunchDaemon, the Helper tool and the CLI tool, you can remove/add the current user to the admin group with a simple command like:
I tested this by copying the PrivilegesCLI into
/usr/local/bin/, then deleting the entire Privileges.app from the Mac, and ran some tests, and it works!
This might be a good approach to use for a simple way to add and remove users' admin rights. I can see this working in a simple script that can be called as the current user.
Posted on 03-14-2019 06:02 AM
@rickwhois nice find!
Actually I implemented that now, with some differences.
The suggested implementation would trigger a policy call all 10 Minutes, even if there are no local Admin rights. That would result in 99% useless requests from every client which has this.
And there's the TCC Limitation, so I built it like this:
additional package which contains:
LaunchDaemon 1: fires script /usr/local/checkPrivileges.sh
LaunchDaemon 2: fires jamf policy -event checkPrivileges, triggers on /tmp/checkPrivileges
checkPrivileges.sh: checks if admin rights where given by privileges.app. if yes, checks for how long, if longer then X, touch /tmp/checkPrivileges
a configuration profile with TCC settings for the jamf binary and Finder
If you want to, I can upload the scripts + LaunchDaemons.
Posted on 03-14-2019 06:50 AM
Posted on 03-14-2019 11:59 AM
Posted on 03-15-2019 01:59 AM
@rickwhois Checkout https://github.com/ChrOst/PrivilegesHelper
I hope this helps other guys :-)
Posted on 12-04-2019 11:19 AM
Does anyone have a step by step with screenshots???
Posted on 12-05-2019 07:54 AM
Posted on 12-05-2019 08:30 AM
Are you guys deploying this app to one to one machine?
Or in lab or public machines?
Posted on 12-23-2021 11:36 AM
This is an older thread, but I was inspired by LRZ_Jamf to write this tool to help with managing Privileges usage in our org. It is similar, but does some extra logging. I thought it might be useful for others that find this thread in the future https://github.com/sgmills/PrivilegesDemoter
Posted on 12-23-2021 12:55 PM
Very clean. Nice work, @mostlymac ! We have BeyondTrust at my company but this can come in handy. I'd rather have this. 🙂
Posted on 12-23-2021 01:08 PM
@mostlymac Great work on this! I’ve followed your repo and would like yo explore using this.
@LaMantia using beyondtrust in our environment as well. I’m thinking of using a local group tied to a sudo access policy. Not sure if you were already working on some configurations.
Posted on 04-01-2022 08:44 AM
We started using SGMills' privilege demoter on our Jamf server + devices. It's a really clean way to nag the user to demote privileges, and requires minimal effort to implement: https://github.com/sgmills/PrivilegesDemoter