This post is going to cover a set of scripts and launch daemons that can be used alongside the SAP Privileges app to remind users not to abuse admin privileges. I will skip much of the background info on Privileges because that has been covered thoroughly by my fellow mac admins. Inspiration for this tool came from:
- GitHub – SAP – macOS Enterprise Privileges
- Traveling Tech Guy – Manage macOS admin privileges with the SAP – Privileges app
- Jamf Nation Community – Using Privileges.app for Mac Admin Elevation
- GitHub – ChrOst – PrivilegesHelper
The Privileges application allows users to switch from standard to administrator and vice versa. As stated on the Privileges GitHub page, “Working as a standard user instead of an administrator adds another layer of security to your Mac and is considered a security best practice. Privileges helps enable you to act as an administrator only when required.”
While Privileges is excellent at its intended function, you may want some help encouraging users to act as an administrator only when required (instead of setting themselves as an admin and never looking back). Additionally, you may want some way of logging who is using admin privileges for an extended period of time and how often. That’s where PrivilegesDemoter comes in.
PrivilegesDemoter consists of two scripts and two launchDaemons. The first launchDaemon runs a script every 5 minutes. This script checks if the currently logged in user (or the last user if there is no current user) is an administrator. If this user is an admin, it adds a timestamp to a file and calculates how long the user has had admin rights.
Once that calculation passes 15 minutes, a signal file gets created. That is where the second launchDaemon comes in. The signal file tells the second launchDaemon to call a Jamf policy. I chose 15 minutes here because that should be more than enough time to perform an admin task or two (like installing an update).
So far we have confirmed that there is an admin user on the machine, and that user has been an admin for more than 15 minutes. The Jamf policy is where all the real work gets done. In the policy called from Jamf we use a jamf helper message to ask if the user still requires admin rights.
- Clicking “Yes” resets the timer allowing the user to remain an administrator for another 15 minutes, at which point the reminder will reappear.
- Clicking “No” revokes administrator privileges immediately.
- If the user does nothing, the reminder will timeout and revoke administrator privileges in the background.
- Users may use the Privileges application normally to gain administrator rights again whenever needed.
- Each privilege escalation and demotion event is logged in
You can find the PrivilegesDemoter tool as well as deployment instructions in my GitHub here: https://github.com/sgmills/PrivilegesDemoter