Demote on Login with SAP Privileges

This blog post outlines using a LaunchAgent that utilizes the PrivilegesCLI to demote users during login. This ensures that all users have standard privileges at the beginning of each user session.

Note: All of the following assumes that the SAP Privileges application is installed.

If that sounds interesting or useful, good news! It is really rather easy to implement.

The LaunchAgent includes a couple of sections:

AssociatedBundleIdentifiers – This section associates the LaunchAgent with the SAP Privileges application so that it is displayed properly in the Login Items GUI on macOS Ventura and newer operating systems.
ProgramArguments – This section runs the following PrivilegesCLI command to remove user rights: /Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove
RunAtLoad – Ensures that the LaunchAgent runs each time a new user session is loaded.

To implement this LaunchAgent, either build a package or copy the following plist file into /Library/LaunchAgents, and make sure that it has the following permissions: 644 POSIX and root:wheel as owner:group.

	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>AssociatedBundleIdentifiers</key>
	<array>
	<string>corp.sap.privileges</string>
	</array>
	<key>Label</key>
	<string>blog.mostlymac.demoteonlogin</string>
	<key>ProgramArguments</key>
	<array>
	<string>/Applications/Privileges.app/Contents/Resources/PrivilegesCLI</string>
	<string>–remove</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	</dict>
	</plist>

view raw Privileges_DemoteOnLogin.plist hosted with ❤ by GitHub

The next time a user logs in, Privileges will ensure the session starts with standard user rights. Users may then use SAP Privileges to grant admin rights again as needed.

Share this:

Like this:

Related

Leave a Reply Cancel reply