Privileges Demoter v2.0

I have made some changes to the Privileges Demoter tool that are significant enough to benefit from a blog post. The original post for v1.0 is available here.

The new version is available on GitHub

Privileges Demoter is a tool, used in conjunction with the SAP Privileges app, that reminds users not to operate as an admin, and logs when a user switches from admin to standard and vice versa.

Changes in v2

The notification now relies on the IBM Notifier application, and only falls back to Jamf Helper if needed. IBM Notifier is included in the package installer, so no need to manage that separately. This allows for more flexibility such as a help button, a notification sound, and better exit codes.

v2 also includes the ability to exclude an admin account from ever seeing the reminder, or being demoted. If you have an admin account across your fleet, this feature can come in handy.

Log rotation is now enabled to ensure that excessive, or long term use does not bloat log files.

There are now two versions of the installer. One version includes just the PrivilegesDemoter pieces, while the other will install both PrivilegesDemoter and the Privileges application. This way you can deploy by installing just one package instead of managing things separately.


Recommended steps to begin using PrivilegesDemoter v2:

  1. Download the installer package that includes both PrivilegesDemoter and the Privileges application from GitHub. Available here: PrivilegesDemoter_PrivilegesApp-2.0.pkg
  2. Upload the package to your MDM.
  3. Create and scope a policy to install the package on devices.
  4. Upload the Demote Admin script to your MDM.
  5. Configure a policy to run Demote Admin

Script Configuration

  1. Configure a policy to run Demote Admin
    1. IMPORTANT: Use custom trigger “privilegesDemote(this trigger is hard coded in the privileges demotion LaunchDaemon)
    2. Set it to ongoing
    3. Make it available offline
    4. Scope to all devices with Privileges installed

5. Configure the options for Demote Admin by editing the script, or using Jamf Pro script parameters.

  • help_button_status should be set to 1 to enable the help button, or 0 to disable.
  • help_button_type may be set to either link or infopopup
  • help_button_payload defines the payload for the help button. Either a URL for link type, or text for infopopup type.
  • notification_sound is enabled by default. Set to 0 to disable. Leave blank or set to 1 to enable.
  • admin_to_exclude may be set to the username of an admin that should be excluded from the reminder and never be demoted.

Updating from v1 to v2

  1. You may install the v2 package over top of the v1 package safely. Simply install the new package to update.
  2. You must also update the demotion script in your MDM. Upload the new Demote Admin script, or overwrite the old one.
    1. Configure script parameter options with helpful names as shown above
  3. Configure the available options in the policy as needed.

Jamf Pro Extension Attribute

The following Extension Attribute may be used to identify devices that have been updated to v2 of PrivilegesDemoter.

# Get PrivilegesDemoter version
version=$( grep Version /usr/local/mostlymac/ | cut -f2 -d ":" )
# If version is present, set result
if [ "$version" ]; then
# Return version
/bin/echo "<result>${RESULT}</result>"

8 thoughts on “Privileges Demoter v2.0”

  1. Question about how to handle the script from being able to be turned off in Ventura even with the Background Service Management profile deployed to the computer. We see we can still turn it off even with the profile applied, and we hope we’re not missing something simple about it.

    We love this product and appreciate your time and work on it for the community.


    1. Hi Daniel! There are a few variables here that could be causing you trouble.

      Are you testing on the latest Ventura beta? Some of the previous betas have had issues with background service management.

      Are you using the example profile on my github, or one that you have crafted yourself?

      Are you signing the profile prior to uploading it? The current version of Jamf Pro messes with unsigned profiles that try to manage this setting. Hopefully future versions will not have this problem.

      Feel free to respond here or if you’re on the MacAdmins slack hit me up there @mostlymac


  2. What is your advice on managing the massive log data for the policy as it seems to keep track of every instance that that. Can we set specific setting for this policy alone somewhere in JAMF Pro to make sure it stays lean and does not get too bloated? 🙂


  3. Is it possible to exclude more than one admin account? We currently got different accounts (moving towards LAPS) in different offices so need to add more than one.


    1. Hi Tobias. This is possible in v3 of PrivilegesDemoter which is currently in pre-release and will likely be officially released next week. Stay tuned.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s