This blog post outlines using a LaunchAgent that utilizes the PrivilegesCLI to demote users during login. This ensures that all users have standard privileges at the beginning of each user session.
Note: All of the following assumes that the SAP Privileges application is installed.
If that sounds interesting or useful, good news! It is really rather easy to implement.
The LaunchAgent includes a couple of sections:
AssociatedBundleIdentifiers– This section associates the LaunchAgent with the SAP Privileges application so that it is displayed properly in the Login Items GUI on macOS Ventura and newer operating systems.
ProgramArguments– This section runs the following PrivilegesCLI command to remove user rights:
RunAtLoad– Ensures that the LaunchAgent runs each time a new user session is loaded.
To implement this LaunchAgent, either build a package or copy the following plist file into
/Library/LaunchAgents, and make sure that it has the following permissions:
644 POSIX and root:wheel as owner:group.
The next time a user logs in, Privileges will ensure the session starts with standard user rights. Users may then use SAP Privileges to grant admin rights again as needed.