Demote on Login with SAP Privileges

This blog post outlines using a LaunchAgent that utilizes the PrivilegesCLI to demote users during login. This ensures that all users have standard privileges at the beginning of each user session.

Note: All of the following assumes that the SAP Privileges application is installed.

If that sounds interesting or useful, good news! It is really rather easy to implement.

The LaunchAgent includes a couple of sections:

  • AssociatedBundleIdentifiers – This section associates the LaunchAgent with the SAP Privileges application so that it is displayed properly in the Login Items GUI on macOS Ventura and newer operating systems.
  • ProgramArguments – This section runs the following PrivilegesCLI command to remove user rights: /Applications/ --remove
  • RunAtLoad – Ensures that the LaunchAgent runs each time a new user session is loaded.

To implement this LaunchAgent, either build a package or copy the following plist file into /Library/LaunchAgents, and make sure that it has the following permissions: 644 POSIX and root:wheel as owner:group.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""&gt;
<plist version="1.0">

The next time a user logs in, Privileges will ensure the session starts with standard user rights. Users may then use SAP Privileges to grant admin rights again as needed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s