Remind Users to Run as Standard with SAP Privileges App

This post is going to cover a set of scripts and launch daemons that can be used alongside the SAP Privileges app to remind users not to abuse admin privileges. I will skip much of the background info on Privileges because that has been covered thoroughly by my fellow mac admins. Inspiration for this tool came from:


The Privileges application allows users to switch from standard to administrator and vice versa. As stated on the Privileges GitHub page, “Working as a standard user instead of an administrator adds another layer of security to your Mac and is considered a security best practice. Privileges helps enable you to act as an administrator only when required.”

While Privileges is excellent at its intended function, you may want some help encouraging users to act as an administrator only when required (instead of setting themselves as an admin and never looking back). Additionally, you may want some way of logging who is using admin privileges for an extended period of time and how often. That’s where PrivilegesDemoter comes in.

PrivilegesDemoter

PrivilegesDemoter consists of two scripts and two launchDaemons. The first launchDaemon runs a script every 5 minutes. This script checks if the currently logged in user (or the last user if there is no current user) is an administrator. If this user is an admin, it adds a timestamp to a file and calculates how long the user has had admin rights.

Once that calculation passes 15 minutes, a signal file gets created. That is where the second launchDaemon comes in. The signal file tells the second launchDaemon to call a Jamf policy. I chose 15 minutes here because that should be more than enough time to perform an admin task or two (like installing an update).

So far we have confirmed that there is an admin user on the machine, and that user has been an admin for more than 15 minutes. The Jamf policy is where all the real work gets done. In the policy called from Jamf we use a jamf helper message to ask if the user still requires admin rights.

  • Clicking “Yes” resets the timer allowing the user to remain an administrator for another 15 minutes, at which point the reminder will reappear.
  • Clicking “No” revokes administrator privileges immediately. 
  • If the user does nothing, the reminder will timeout and revoke administrator privileges in the background.
  • Users may use the Privileges application normally to gain administrator rights again whenever needed.
  • Each privilege escalation and demotion event is logged in /var/log/privileges.log

You can find the PrivilegesDemoter tool as well as deployment instructions in my GitHub here: https://github.com/sgmills/PrivilegesDemoter

One thought on “Remind Users to Run as Standard with SAP Privileges App”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s