search

SAP / macOS-enterprise-privileges

For Mac users in enterprise environments, this application gives users control over the administration of their machine by elevating their level of access to administrator privileges on macOS. Users can set a timeframe in the application's settings to perform specific tasks, such as installing or removing an application.
Apache License 2.0
1.4k stars 150 forks source link

DockToggleTimeOut #26

Closed ImJustPhil closed 2 years ago

ImJustPhil commented 2 years ago

Hi all,

*NB- I'm not a Dev so my jargon might not be clear cut,

Apologies if this is glaringly obvious, but I'm hitting my head against a brick wall here. I have been tasked with onboarding MacOS devices via JAMF and can across this app to help with temporary elevated permissions.

The config is working apart from the DockToggleTimeOut/MaxTimeOut items.

To my understanding, once the user requests admin privileges, after "x" amount of time, the user will demoted back to a standard user and will need to request again. As a test i have set it to be 5mins, however after 20mins to satisfy the MaxTimeOut, the account is still Admin?

Anyone else able to explain this? or am i just interpreting the functionally wrong.

best, Phil

aleksozerov commented 2 years ago

@ImJustPhil I banged my head against the wall on this one as well, so I am happy to share my finding (someone else here set me straight). DockToggleTimeOut/MaxTimeOut works ONLY when you use the "Toggle privileges" feature. If a user went to "Applications/Privileges" and requested privileges that way, it will not work.
Additionally "Toggle privileges" feature doesn't work if you set ReasonRequired or (I believe) RequireAuthentication. Hope this helps.

ImJustPhil commented 2 years ago

@aleksozerov - that makes so much sense! I will give that a try

Thank you for the super quick response. Ill post my findings

ImJustPhil commented 2 years ago

@aleksozerov this did indeed work when when removing both the "ReasonRequired" & "RequireAuthentication" features. so for that THANK YOU!

A question to any audience would be that this seems sort of pointless, having to instruct users to long press and app and select the "Toggle Privileges" option as opposed to the intuitive click on app. Then also having the "RequireReason" and "RequireAuthentication" disabled, which would in our environment be more desirable, but at the loss of a timeout and need to reboot for permissions to revert.

Anyone got around this at all?

grahampugh commented 2 years ago

This script will cause the admin rights to be removed after a set period regardless of how the app is launched:

https://github.com/eth-its/autopkg-mac-recipes-yaml/blob/main/Scripts/Privileges-postinstall.sh

It's designed to work in Jamf Pro, hence the duration is set with "Parameter 4" ($4). You could just change that to a fixed value, or switch to $1 if launching the script in another way..

ImJustPhil commented 2 years ago

@grahampugh many thank for this. I will give this a go!