One of the open-source contributions by the Apple@SAP team has been Privileges.app, a tool designed to grant or take away administrator rights from accounts on macOS. The general idea behind Privileges is that it allows people to work with the account privileges of a standard user for day-to-day use, but allows them to get administrator rights when needed.
Documentation for Privileges.app can be found at the GitHub repo which hosts it, which is available via the link below:
https://github.com/SAP/macOS-enterprise-privileges
However, one item not included in that documentation is how to package it for deployment. Instead, AutoPkg recipes were written and made available to automate the packaging process:
However, not everyone is able to use AutoPkg in their environment, so manual packaging instructions are now available here. For more details, please see below the jump:
Downloading the latest release of Privileges
Privileges.app is available for download from GitHub, via the following link:
https://github.com/SAP/macOS-enterprise-privileges/releases/latest
From there, click on the Privileges.zip download link.
Once uncompressed, Privileges.app is self-contained and can be installed via drag and drop.
Packaging Privileges.app
Pre-requisites:
1. Set up a new Packages project and select Raw Package.
2. In this case, I’m naming the project Privileges and storing the project files in my home folder.
3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)
In this example, I’m not changing any of the options from what is set by default.
4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.
To accomplish this, I’m choosing the following options in the Settings section:
In the Tag section:
- Identifier: set as appropriate (for my installer, I’m using com.companyname.pkg.Privileges
- Version: set as appropriate (for my installer, I’m usings 1.0.3 )
In the Post-installation Behavior section:
- On Success: should be set to Do Nothing
In the Options section:
- Require admin password for installation should be checked
- Relocatable should be unchecked
- Overwrite directory permissions should be unchecked
- Follow symbolic links should be unchecked
7. Select the Payload tab.
8. Select the Applications directory.
9. Under the Hierarchy menu, select Add Files…
10. Select Privileges.app.
11. By default, the permissions for the app will be as follows:
Owner: root
Group: admin
Access: drwxr-xr-x
Change the permissions to match the following:
Owner: root
Group: wheel
Access: drwxr-xr-x
12. Select the Scripts tab.
The last part is adding a preinstall script and postinstall script. Here’s the preinstall script being used for this installer package:
If not already selected, select the preinstall script and add it to the project.
Note: This is the same preinstall script used by the AutoPkg .pkg recipe for Privileges.
Here’s the postinstall script being used for this installer package:
If not already selected, select the postinstall script and add it to the project.
Note: This is the same postinstall script used by the AutoPkg .pkg recipe for Privileges.
13. Build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)
Testing the installer
Once the package has been built, test it by installing it on a test machine which has the following:
- Does not have Privileges.app installed
The end result should be that Privileges.app installs into /Applications and is able to do the following tasks:
- Grant admin rights to a standard user
- Take away admin rights from an admin user
