PrivilegesDemoter v3.0

PrivilegesDemoter version 3 is here, and it’s a big update. While the main functions remain, several new options are available to make deployment and configuration much more flexible.

The original posts for previous versions are available here:

Version 3 is available on GitHub

PrivilegesDemoter is a script that allows users to self manage local administrator rights, while reminding them not to operate as an administrator for extended periods of time. Additionally, each elevation and demotion event is recorded and saved to a log file.

PrivilegesDemoter 3 has been written to be customizable for a number of different deployment scenarios. PrivilegesDemoter may be used on its own in standalone mode, or conjunction with SAP Privileges. It may be configured to notify users with IBM Notifier, Swift Dialog, or Jamf Helper.

The PrivilegesDemoter script runs every 5 minutes to check if the currently logged in user is an administrator. If this user is an admin, it adds a timestamp to a file and calculates how long the user has had admin rights. Once that calculation passes a certain threshold, the user is reminded to operate as a standard user whenever possible.

Summary of Changes in v3

  • PrivilegesDemoter now uses just one script and one LaunchDaemon (as opposed to 2 of each in versions 1 and 2)
  • The script is controlled with a configuration profile (blog.mostlymac.privilegesdemoter).
  • There is a JSON Schema available for configuring with Jamf Pro.
  • You can now exclude multiple administrator accounts from demotion.
  • The _mbsetupuser and root users are now excluded from demotion by default.
  • Swift Dialog is now available as a notification agent in addition to IBM Notifier and Jamf Helper.
  • You may now use a custom name for the IBM Notifier binary (if you have re-branded it for your organization).
  • The demotion reminder threshold can now be set with a configuration profile separately from the SAP Privileges dock tile timeout.
  • The main text in the reminder can be customized.
  • You many now configure the user to be demoted silently without a notification at all.
  • The demotion script now runs locally by default. If you would like it to run from Jamf Pro as it did in versions 1 and 2, you may configure it that way.
  • You may now customize the Jamf trigger if demoting from a Jamf Pro policy.
  • The script now allows for standalone elevation and demotion actions (without deploying SAP Privileges) Note: This requires an MDM with the ability to run scripts from a Self Service portal (like Jamf Pro).
  • The script now includes several new options when running locally. Using the script alone you can elevate, demote, demote silently, print the current user’s status, and calculate how much admin time has passed since the last time PrivilegesDemoter ran.

More information about how to set-up, use, and configure all of the above is available in the GitHub Wiki for the PrivilegesDemoter project.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s