Privileges.app and time-limited admin
Privileges is an open source tool from SAP which helps folks manage admin rights for their account. As part of its feature set, it includes an option for time-limited admin using a specific function called Toggle privileges.
However, Toggle privileges’s time-limited admin feature for Privileges is its most misunderstood feature. The reason is that while the ability to set a time limit is only available if you’re using the Toggle privileges function, many users assume that this time-limited admin is available universally to all the functions used to get admin rights using the Privileges app.
It is not. Time limited admin is only available using the Toggle privileges function. If you’re not using the Toggle privileges function, there is no time limitation and you cannot set one from within the Privileges app.
This information is available in the Privileges FAQ:
- Question: By default, is there a time limit on the admin rights granted by Privileges?
- Answer: No. Admin rights are granted until some process (like running Privileges again) takes them away.
- Question: Can I set Privileges to give me administrator rights for a defined amount of time?
- Answer: Yes. You can use the Toggle Privileges option on the dock icon to get admin rights for a set amount of time (the default amount is 20 minutes.)
What does this mean?
- The only way time-limited admin is currently working on Privileges is by using the Toggle privileges function.
- If you are clicking on the icon in the dock and not selecting the Toggle privileges function, there’s no time limit.
- If you’re using the PrivilegesCLI command line tool, there is no time limit.
How long do you have admin if you’re not using the Toggle privileges function? Admin rights are granted until some process (like running Privileges again) takes them away. There’s no time limit.
All of the Privileges management options available for time-limited admin at this time apply only to the Toggle privileges function. If you’re using any of the management settings options listed below, they apply only and exclusively to the Toggle privileges function:
- DockToggleTimeout
- DockToggleMaxTimeout
They will not manage time-limited admin for any of Privileges’ functions outside of using the Toggle privileges function.
What if you want time-limited admin outside of using the Toggle privileges function? You will need to use a separate mechanism. In my case, I usually point folks towards using PrivilegesDemoter:
https://github.com/sgmills/PrivilegesDemoter
This tool uses a separate mechanism for figuring out the timing and then uses the PrivilegesCLI command line tool to take away admin when the time limit set for PrivilegesDemoter expires.
Specifying shell commands to run when opening new Terminal windows from macOS’s Terminal settings
As a follow-up to a previous post, as part of that post I had been running certain shell commands by adding them to a .zshrc file:
- export PS1=”\$ “: Sets the prompt to only display “$” (no quotes) using the PS1 environmental variable.
- unset zle_bracketed_paste: Disable the zsh shell’s bracketed paste feature.
With some additional research, I learned that I could also run these commands using the Run command function which is available in your Terminal settings under the Shell tab.
To replicate what I wanted, I had to enable the Run command option in the Shell tab, then also set Run inside shell. Once those were enabled, I added the following shell commands:
export PS1="\$ " && unset zle_bracketed_paste && clear
- export PS1=”\$ “: Sets the prompt to only display “$” (no quotes) using the PS1 environmental variable.
- unset zle_bracketed_paste: Disable the zsh shell’s bracketed paste feature.
- clear: Removes all contents (including running the commands listed above) from the Terminal window.
The reason why this is nice is that I can now add running these commands to a macOS configuration profile using the CommandString key:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <key>CommandString</key> | |
| <string>export PS1="\$ " && unset zle_bracketed_paste && clear</string> |
To see this used in context in a macOS configuration profile, please see below the jump.
Customizing Terminal behavior for documentation needs
As part of writing documentation today, I was given a script to follow when making some videos as part of the documentation process. The script included the following requirement:
- Prepare the Terminal to not show the hostname or the logged-in user
By default, Terminal in macOS Monterey will show both. How to get rid of this?
Fortunately for me, @scriptingosx had already documented how to do this as part of this post. You can use the PS1 environmental variable to set how your prompt appears in Terminal. After some experimentation, I set the following environmental variable:
PS1="\$ "
To have this prompt appear whenever I opened a new Terminal session, I added the following line to a newly-created .zshrc file in my home folder:
export PS1="\$ "
The .zshrc file is a configuration file for the zsh shell, so adding that and then opening a new Terminal window gave me a prompt which looks like this.
As part of making the videos, I also noticed that when I copied and pasted a command into the Terminal that the pasted text was highlighted automatically. I’d seen this before and ignored it, but I thought it might be an unnecessary distraction for those watching this video later, so I went looking for how to disable it.
After some research, I found that this was zsh’s “bracketed paste” feature, which was introduced as part of zsh 5.1. This feature can be turned off using the following command:
unset zle_bracketed_paste
Adding entries for both the prompt and turning off bracketed paste to my .zshrc file gave me the Terminal behavior I wanted:
export PS1="\$ " unset zle_bracketed_paste
I also performed additional customization of my Terminal experience, but those modifications were managed using a configuration profile. For more details on that, please see this previous post:
Removing unwanted Time Machine backups from APFS-formatted Time Machine backup drives on macOS Monterey
I recently needed to prune some Time Machine backups, where I wanted to manually delete some older backups while not deleting everything on the drive. When I researched this, the guidance provided used the procedure described below:
- Connect your external backup drive to your Mac if needed.
- Launch the Time Machine app.
- Use the timeline on the right of the screen or the arrows to navigate to the backup date you want to delete. Alternatively, use the Finder window to navigate to the file or folder you want to delete.
- After selecting the date or file you want to delete, click the Action (…) button in Finder and choose to either Delete Backup or Delete All Backups of [Your File]
For an HFS+ formatted Time Machine backup drive, this guidance is correct. However, my Time Machine backup drive is APFS formatted. When following this guidance, I ran into the following issue:
- Connect your external backup drive to your Mac if needed.
- Launch the Time Machine app.
- Use the timeline on the right of the screen or the arrows to navigate to the backup date you want to delete. Alternatively, use the Finder window to navigate to the file or folder you want to delete.
- After selecting the date or file you want to delete, click the Action (…) button in Finder.
With APFS-formatted Time Machine backup drives, only the option to restore files is available. The Delete Backup or Delete All Backups options are not available.
So how can unwanted Time Machine backups be manually deleted? For more details, please see below the jump.
Session videos from MacDevOps YVR 2022 now available
The MacDevOps YVR folks have posted the session videos for from MacDevOps YVR 2022, including the video for my Managing Admin Rights in the Enterprise session.
For those interested, all of the MacDevOps YVR 2022 session videos are available on YouTube.
For convenience, I’ve linked my session here.
Videos from Penn State MacAdmins Campfire Sessions 2022
The good folks at Penn State have been posting session videos from the Penn State MacAdmins Campfire Sessions to YouTube. As they become available, you should be able to access them via the link below:
I’ve linked my Leveling Up – Managing admin rights in the enterprise session here:
Slides from the “Leveling Up – Managing admin rights in the enterprise” session at MacDevOpsYVR 2022 conference
For those who wanted a copy of my admin rights talk at the MacDevOpsYVR 2022 conference, here are links to the slides in PDF and Keynote format.
PDF: https://tinyurl.com/macdevopsyvr2022pdf
Keynote: https://tinyurl.com/macdevopsyvr2022key
Slides from the “Leveling Up – Managing admin rights in the enterprise” session at Penn State MacAdmins Conference 2022
For those who wanted a copy of my admin rights talk at the Penn State MacAdmins Conference 2022 conference, here are links to the slides in PDF and Keynote format.
WWDC 2022 notes
This week, as in 2020 and 2021, I’m attending Apple’s WWDC 2022 conference from the comforts of home. As part of this, I’m taking notes during the labs and session videos. Due to wanting to stay on the right side of Apple’s NDA, I’ve been posting my notes to Apple’s developer forums rather than to here.
To make it easier for Mac admins to access them, I’ve set up a post in the forums where I’ve linking the various forum posts with my notes. It’s available via the link below:
Using AutoPkg to build a Cisco AnyConnect installer
HCS Technology Group posted a white paper recently, showing how to deploy Cisco AnyConnect using Jamf Pro. As part of that documentation, HCS described how to create an installer choices XML file and then use it to create a custom Cisco AnyConnect installer package.
It’s possible to replicate this packaging workflow, including generating an installer choices XML file, using AutoPkg. For more details, please see below the jump.
Der Flounder 
Recent Comments