-
Notifications
You must be signed in to change notification settings - Fork 152
Managing Privileges
Here you can find information about all app settings that can be configured via a configuration profile:
key: ExpirationInterval
value: a positive integer
Set a fixed time interval after which administrator privileges expire and revert to standard user rights. A value of 0 disables the timeout and allows the user to request permanent administrator privileges.
key: ExpirationIntervalMax
value: a positive integer
Set a maximum time interval for a user to request administrative privileges. This generally works the same way as ExpirationInterval
, but allows the user to choose any timeout value up to the specified one. So if the admin would set ExpirationIntervalMax
to 20 minutes, the user can choose to set it to a value up to 20 minutes instead of being forced to use the 20 minute timeout. For usability reasons, we recommend using ExpirationIntervalMax
instead of ExpirationInterval
. If both ExpirationIntervalMax
and ExpirationInterval
are set, the value of ExpirationInterval
takes precedence over ExpirationIntervalMax
.
key: EnforcePrivileges
value: a string containing the value `admin`, `user` or `none`
Enforces specific privileges. The privileges are immediately enforced by the Privileges Dock tile plugin (even if Privileges is not in Dock). If EnforcePrivileges
is set to none
, it is no longer possible to change privileges with the Privileges application or any of its bundled applications.
key: RequireAuthentication
value: a boolean
Specifies whether authentication is required to obtain administrator privileges. If set to true, the user is prompted for the account password (or Touch ID, if available). Note that once this option is enabled, privileges cannot be changed from the Privileges Dock tile menu unless AllowCLIBiometricAuthentication is also enabled.
key: AllowCLIBiometricAuthentication
value: a boolean
Specifies whether to allow biometric authentication in the PrivilegesCLI to obtain administrator privileges. When set to true, the Privileges agent prompts the user for the account password (or Touch ID, if available).
key: PostChangeExecutablePath
value: a string containing the absolute path to an application or script
If set, the PrivilegesAgent executes the given application or script and provides the current user's user name ($1) and its privileges (admin
or user
, $2) as launch arguments. If the application or script does not exist or is not executable, the launch operation fails silently.
key: PostChangeActionOnGrantOnly
value: a boolean
If set to true, the application or script, specified in PostChangeExecutablePath, will only be executed if administrator privileges are granted to a user, but not the privileges are revoked.
key: RevokePrivilegesAtLogin
value: a boolean
If set to true, the user's administrator privileges are revoked at login.
key: HideOtherWindows
value: a boolean
By default, Privileges hides open windows to show the desktop and ensure that only the Privileges window is visible on the screen. Set HideOtherWindows to false to disable this function.
key: LimitToUser
value: a string containing the user's short name (deprecated)
or an array of strings containing the user's short names
Restricts use of the application to the specified user or list of users. When used with a client management system that supports variables in configuration profiles, variables such as $USERNAME can be used here.
Note: Please use the array of strings instead of the string value. The string value is only there for backwards compatibility to version 1.x and support for it will be removed in a future version of Privileges.
key: LimitToGroup
value: a string containing the name of the group (deprecated)
or an array of strings containing the group names
Restricts use of the application to the specified group or list of groups.
Note: Please use the array of strings instead of the string value. The string value is only there for backwards compatibility to version 1.x and support for it will be removed in a future version of Privileges.
key: ReasonRequired
value: a boolean
When set to true, the user must provide a reason for requesting administrator privileges. The reason is logged. Note that once this option is enabled, privileges cannot be changed from the Privileges Dock tile menu.
key: ReasonMinLength
value: a positive integer below 255
If ReasonRequired
is set to true, this key specifies the minimum number of characters the user has to enter as the reason for becoming an admin. If not set, the value defaults to 10. If a value < 1 is specified or if ReasonMinLength
is > 254, the value is set to default.
key: ReasonMaxLength
value: a positive integer <= 250
If ReasonRequired
is set to true, this key specifies the maximum number of characters the user can enter as the reason for becoming an admin. If not set, the value defaults to 250. If a value > 250 is specified or if ReasonMaxLength
is <= ReasonMinLength
, the value is set to default.
key: ReasonPresetList
value: an array of dictionaries
If ReasonRequired
is set to true, this key allows to pre-define a list of possible reasons (for becoming an admin) the user can choose from. If set, an additional pop-up menu will appear in the dialog box. This only works for the GUI version of Privileges.
A dictionary should contain these keys and values:
- a key containing the locale identifier for each language (for example, en or zh)
- a value containing the localized reason string for that language
- an optional key
default
with a value containing the unlocalized reason string
If no exact match is found, the default localization is used. If there is no default localization, the en localization is used. If there is no en localization, the dictionary is skipped. Here's how the general structure should look like:
<key>ReasonPresetList</key>
<array>
<dict>
<key>de</key>
<string>Um Software zu installieren</string>
<key>en</key>
<string>For installing software</string>
<key>es</key>
<string>Para la instalación de software</string>
<key>it</key>
<string>Per l'installazione del software</string>
<key>default</key>
<string>For installing software</string>
</dict>
<dict>
…
</dict>
</array>
key: ReasonCheckingEnabled
value: a boolean
If set to true, the text the user enters for a reason is roughly parsed for valid words. If the text does not contain any valid words, the Request Privileges
button remains grayed out, even if the minimum number of characters has been entered. The test passes if the text contains any valid words, even if they don't make sense.
This feature is experimental and disabled by default. If you enable it, please check carefully that it works as expected in your environment.
key: HideSettingsButton
value: a boolean
If set to true, the Settings
button is no longer displayed in the app.
key: HideSettingsFromDockMenu
value: a boolean
If set to true, the Settings
menu item is no longer displayed in the Dock tile's menu.
key: RemoteLogging
value: a dictionary containing the server information:
key: ServerType
value: a string specifying the type of the logging server
At the moment `syslog` and `webhook` are the only supported values.
key: ServerAddress
value: a string containing the address of the logging server
The server address can be an ip address or host name if a
syslog server is configured. For webhooks please provide a
http(s) url.
key: SyslogOptions
value: a dictionary containing syslog-specific options:
key: ServerPort
value: a integer specifying the port of the logging server.
If not specified, the port defaults to 514 or to 6514 if
TLS is enabled.
key: UseTLS
value: a boolean
If set to true, TLS is enabled for the connection. Please
make sure your clients have a certificate installed that
matches Apple's requirements.
Please see https://support.apple.com/en-us/103769 for
further information.
key: LogFacility
value: an integer specifying the syslog facility
If not specified, facility defaults to 4 (security).
Please see https://tools.ietf.org/html/rfc5424#section-6.2.1
for further information.
key: LogSeverity
value: an integer specifying the syslog severity
If not specified, severity defaults to 6 (informational).
Please see https://tools.ietf.org/html/rfc5424#section-6.2.1
for further information.
key: MaximumMessageSize
value: an integer specifying the maximum size of the
syslog message (header + event message)
If not specified, the value defaults to 480 which is the
minimum maximum message size a syslog server must support.
If the syslog message is larger than the specified maximum,
the message will be truncated at the end.
Please see https://tools.ietf.org/html/rfc5424#section-6.1
for further information.
Some sample configuration profiles are available via the links below:
- Privileges ExpirationInterval macOS Configuration Profile
- Privileges ExpirationIntervalMax macOS Configuration Profile
- Privileges EnforcePrivileges macOS Configuration Profile
- Privileges LimitToGroup macOS Configuration Profile
- Privileges LimitToUser macOS Configuration Profile
- Privileges ReasonRequired macOS Configuration Profile
- Privileges RemoteLogging macOS Configuration Profile
- Privileges RequireAuthentication macOS Configuration Profile
The Privileges app icon changes its appearance in the dock (screenshot below) if the app is managed by a macOS configuration profile that uses one or more of the following management keys:
- EnforcePrivileges
- LimitToGroup
- LimitToUser
Note: Other management keys do not trigger the icon change.
To enable e.g. notifications or allow the PrivilegesAgent and Daemon to run without needing permission from the user, settings have to be pushed via configuration profile. You can see an example below:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>corp.sap.privileges</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>RevokePrivilegesAtLogin</key>
<true/>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Privileges configuration</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.ManagedClient.preferences.36132147-235E-4663-ADA8-2664C67C4DD2</string>
<key>PayloadOrganization</key>
<string>SAP SE</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>36132147-235E-4663-ADA8-2664C67C4DD2</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>1</integer>
<key>BadgesEnabled</key>
<false/>
<key>BundleIdentifier</key>
<string>corp.sap.privileges.agent</string>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<false/>
<key>SoundsEnabled</key>
<false/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Notifications Payload</string>
<key>PayloadIdentifier</key>
<string>com.apple.notificationsettings.82F3A882-88ED-4B92-8A03-332A9874FDD0</string>
<key>PayloadOrganization</key>
<string>SAP SE</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>82F3A882-88ED-4B92-8A03-332A9874FDD0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadDisplayName</key>
<string>Service Management Payload</string>
<key>PayloadIdentifier</key>
<string>com.apple.servicemanagement.AD895F7A-40F5-454A-B70F-6AA00C3738CF</string>
<key>PayloadOrganization</key>
<string>SAP SE</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>AD895F7A-40F5-454A-B70F-6AA00C3738CF</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Rules</key>
<array>
<dict>
<key>Comment</key>
<string>Approves Privileges and its components</string>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>7R5ZEU67FQ</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>SAP Privileges Settings</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>408756F8-4B31-4296-84BA-6B4B8A73E085</string>
<key>PayloadOrganization</key>
<string>SAP SE</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>67923C22-5FCA-4F48-A63C-02A160A9F089</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>