Privileges is an application designed to give Standard Mac users the ability to become Admin for the purposes of installing software, changing settings etc.
It’s very straight forward, but has some downsides if you want to use it in a truly managed way- clicking on the app just flicks admin rights on or off and does not record what happened or have a time limit. Both of these issues are overcome here and in an update to the app, so this article is merely to translate that data to my particular way of working…
So here are my requirements-
- Clients must not be able to get Admin privs permanently
- Set the timeout to 20 minutes
- Actions must be logged
Firstly, you need to download and load Privileges into your favourite distribution system. I’m going to use Munki, because when active I want everyone to have it. Got it installed?
Cool, now wait for Mosyle to update the Apps list, you’ll need this later…
If you’ve got a Synology device, log in and install Log Center, then make the following changes-
- In Control Panel, create a new shared folder called ‘Logs’
- Open Log Center and set your logs to be stored in the new folder
- Set the logs to be separate per device, and a quota
Then still in Log Center, got to ‘Log Receiving’ and
- Set up a new rule called ‘Privileges App’
- Set it to IETF format
- Check that the logs are going to be transferred via UDP on port 514
- Make note of the Synology IP address for later
Next you need to go to iMazing Profile Editor (free download) or your preferred profile editor and create a profile for Privileges.app
I’m using settings as per the pic – ideally I want the users to give a reason, but this needs to be agreed with the client. Export this profile and upload it to Mosyle
In Mosyle, go to Management and set a ‘Block app’ profile. Select the ‘Privileges’ app- yes we are going to block it from launching! Upload the newly created profile as a custom profile and deploy it.
To be able to use this, the user MUST add the app to the Dock, this is required for the contextual menu item ‘Toggle’ to be available.
Now we have the following results- Users can’t launch the app because it is blocked, but they can use the ‘Toggle’ command which does give them Admin rights, but also enforces a time limit that we have set to 20 minutes, AND their actions are logged on the Synology device. Winner!
One last thing- the log entries on your Synology device will have entries based on the sharing name of the computer. I’d rather have Serial Number or asset tag but that doesn’t seem possible.
More info about managing the app here
Once again, I am very grateful to SAP for making the app available, and to Travelling Tech Guy for his insights. Also to Rich Trouton for his Munki recipe… and loads of other work!