Use this repo to assist in deploying the SAP Enterprise Privileges App to your Mac fleet.

The base installation of Privileges does not have a way to remove user privileges automatically if the priviliges app is launched by clicking on the app and then selecting Request privileges. In this scenario the user will remain an admin until they manually remove their own privileges by launching the app again.

Enter privilegeschecker.sh ...

Using this script, plus an associated LaunchAgent, an IT admin can set a default amount of time for the user to remain an admin and automatically toggle the user back to standard , even with preference keys enabled. The script does this by first checking the currently logged-in user's privilege level. Then, using the SAP PrivilegesCLI binary, demotes the user back to standard if they are an admin.

A sample LaunchAgent can be found in this repo here.

Privileges.app for macOS is designed to allow users to work as a standard user for day-to-day use, by providing a quick and easy way to get administrator rights when needed. When you do need admin rights, you can get them by clicking on the Privileges icon in your Dock.

More info about the Privileges.app can be found in the SAP macOS Enterprise Privileges Repo

Sample preference files to managed Privileges can be found here.

privilegeschecker supports the following macOS versions:

• macOS 12.0.1
• macOS 11.x
• macOS 10.15.x

1. Download the latest release package here
   • This installer is configured to removed admin privileges after 20 minutes.
   • If you would like to configure a different amount of time see Modifying the privilegeschecker script
2. Upload the package to your MDM.
3. Deploy the package to your Mac fleet.

To change the amount of time that privilegeschecker will wait until it toggles the logged in user's privileges back to standard you will need to perform the following steps

1. Download the sample-packages-project zip file.

2. Open the privilegeschecker.zsh script in a text editor. (payload > Library > Scripts > mdmhelpers)

3. Modify the MINUTES_TO_WAIT variable to the desired amount of time.

   ###################################################################################################
   ################################ VARIABLES ########################################################
   ###################################################################################################
   
   # Number of minutes to wait before removing admin rights from the current user.
   # If you want to do 2 hours, for example, it would look like 120 minutes.
   MINUTES_TO_WAIT=20

4. Create a new installer package containing the update

   • The Packages.app tool was used here, but any packaging method can be used.

This project is 'as-is' with no support. You are welcome to make changes to improve it but we are not available for questions or support of any kind.