Privileges Demoter v2.0

I have made some changes to the Privileges Demoter tool that are significant enough to benefit from a blog post. The original post for v1.0 is available here.

The new version is available on GitHub

Privileges Demoter is a tool, used in conjunction with the SAP Privileges app, that reminds users not to operate as an admin, and logs when a user switches from admin to standard and vice versa.

Changes in v2

The notification now relies on the IBM Notifier application, and only falls back to Jamf Helper if needed. IBM Notifier is included in the package installer, so no need to manage that separately. This allows for more flexibility such as a help button, a notification sound, and better exit codes.

v2 also includes the ability to exclude an admin account from ever seeing the reminder, or being demoted. If you have an admin account across your fleet, this feature can come in handy.

Log rotation is now enabled to ensure that excessive, or long term use does not bloat log files.

There are now two versions of the installer. One version includes just the PrivilegesDemoter pieces, while the other will install both PrivilegesDemoter and the Privileges application. This way you can deploy by installing just one package instead of managing things separately.


Recommended steps to begin using PrivilegesDemoter v2:

  1. Download the installer package that includes both PrivilegesDemoter and the Privileges application from GitHub. Available here: PrivilegesDemoter_PrivilegesApp-2.0.pkg
  2. Upload the package to your MDM.
  3. Create and scope a policy to install the package on devices.
  4. Upload the Demote Admin script to your MDM.
  5. Configure a policy to run Demote Admin

Script Configuration

  1. Configure a policy to run Demote Admin
    1. IMPORTANT: Use custom trigger “privilegesDemote(this trigger is hard coded in the privileges demotion LaunchDaemon)
    2. Set it to ongoing
    3. Make it available offline
    4. Scope to all devices with Privileges installed

5. Configure the options for Demote Admin by editing the script, or using Jamf Pro script parameters.

  • help_button_status should be set to 1 to enable the help button, or 0 to disable.
  • help_button_type may be set to either link or infopopup
  • help_button_payload defines the payload for the help button. Either a URL for link type, or text for infopopup type.
  • notification_sound is enabled by default. Set to 0 to disable. Leave blank or set to 1 to enable.
  • admin_to_exclude may be set to the username of an admin that should be excluded from the reminder and never be demoted.

Updating from v1 to v2

  1. You may install the v2 package over top of the v1 package safely. Simply install the new package to update.
  2. You must also update the demotion script in your MDM. Upload the new Demote Admin script, or overwrite the old one.
    1. Configure script parameter options with helpful names as shown above
  3. Configure the available options in the policy as needed.

Jamf Pro Extension Attribute

The following Extension Attribute may be used to identify devices that have been updated to v2 of PrivilegesDemoter.

# Get PrivilegesDemoter version
version=$( grep Version /usr/local/mostlymac/ | cut -f2 -d ":" )
# If version is present, set result
if [ "$version" ]; then
# Return version
/bin/echo "<result>${RESULT}</result>"