Home > Packaging, Privileges.app, Scripting > Building an installer package for Privileges.app

Building an installer package for Privileges.app

One of the open-source contributions by the Apple@SAP team has been Privileges.app, a tool designed to grant or take away administrator rights from accounts on macOS. The general idea behind Privileges is that it allows people to work with the account privileges of a standard user for day-to-day use, but allows them to get administrator rights when needed.

Documentation for Privileges.app can be found at the GitHub repo which hosts it, which is available via the link below:

https://github.com/SAP/macOS-enterprise-privileges

However, one item not included in that documentation is how to package it for deployment. Instead, AutoPkg recipes were written and made available to automate the packaging process:

However, not everyone is able to use AutoPkg in their environment, so manual packaging instructions are now available here. For more details, please see below the jump:

Downloading the latest release of Privileges

Privileges.app is available for download from GitHub, via the following link:

https://github.com/SAP/macOS-enterprise-privileges/releases/latest

From there, click on the Privileges.zip download link.

Screen Shot 2019 03 20 at 8 56 09 AM

 

Once uncompressed, Privileges.app is self-contained and can be installed via drag and drop.

Screen Shot 2019 03 20 at 9 28 56 AM

 

Packaging Privileges.app

Pre-requisites:

 

1. Set up a new Packages project and select Raw Package.

Screen Shot 2019 03 20 at 9 29 38 AM

2. In this case, I’m naming the project Privileges and storing the project files in my home folder.

Screen Shot 2019 03 20 at 9 29 51 AM

 

3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

Screen Shot 2019 03 20 at 9 30 38 AM

In this example, I’m not changing any of the options from what is set by default.

4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Tag section:

  • Identifier: set as appropriate (for my installer, I’m using com.companyname.pkg.Privileges
  • Version: set as appropriate (for my installer, I’m usings 1.0.3 )

In the Post-installation Behavior section:

  • On Success: should be set to Do Nothing

In the Options section:

  • Require admin password for installation should be checked
  • Relocatable should be unchecked
  • Overwrite directory permissions should be unchecked
  • Follow symbolic links should be unchecked

Screen Shot 2019 03 20 at 9 31 25 AM

7. Select the Payload tab.

Screen Shot 2019 03 20 at 9 31 35 AM

8. Select the Applications directory.

Screen Shot 2019 03 20 at 9 32 05 AM

9. Under the Hierarchy menu, select Add Files…

Screen Shot 2019 03 20 at 9 32 15 AM

 

10. Select Privileges.app.

Screen Shot 2019 03 20 at 9 33 29 AM

Screen Shot 2019 03 20 at 9 35 13 AM

 

11. By default, the permissions for the app will be as follows:

Owner: root
Group: admin
Access: drwxr-xr-x

Screen Shot 2019 03 20 at 9 35 14 AM

 

Change the permissions to match the following:

Owner: root
Group: wheel
Access: drwxr-xr-x

Screen Shot 2019 03 20 at 9 35 23 AM

12. Select the Scripts tab.

Screen Shot 2019 03 20 at 9 35 32 AM

The last part is adding a preinstall script and postinstall script. Here’s the preinstall script being used for this installer package:

If not already selected, select the preinstall script and add it to the project.

Note: This is the same preinstall script used by the AutoPkg .pkg recipe for Privileges.

Screen Shot 2019 03 20 at 9 36 55 AM

Screen Shot 2019 03 20 at 9 37 02 AM

 

Here’s the postinstall script being used for this installer package:

If not already selected, select the postinstall script and add it to the project.

Note: This is the same postinstall script used by the AutoPkg .pkg recipe for Privileges.

Screen Shot 2019 03 20 at 9 37 21 AM

Screen Shot 2019 03 20 at 9 37 27 AM

 

13. Build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Testing the installer

Once the package has been built, test it by installing it on a test machine which has the following:

  • Does not have Privileges.app installed

Screen Shot 2019 03 20 at 9 38 27 AM

The end result should be that Privileges.app installs into /Applications and is able to do the following tasks:

  1. Grant admin rights to a standard user
  2. Take away admin rights from an admin user

Screen Shot 2019 03 20 at 11 01 53 AM

  1. Joss Brown
    March 20, 2019 at 3:52 pm

    Privileges is a fantastic app, as SAP write also for “all users”. However, the download only gives me version 1.0.3 build 231, but there’s already a build 236 around somewhere. Does anyone know where to download the newer build?

  2. AlexH
    March 21, 2019 at 4:31 pm

    Great writeup Rich! Now, how do we do this with Composer from Jamf Pro? 🙂

  3. piagetblix
    March 22, 2019 at 2:23 pm

    I did a drag and drop from /Applications using composer and it seems to run fine. No postinstall script. What am I missing out on building it with composer?
    Thanks!

  4. March 29, 2019 at 2:58 pm

    Is there any way we can force a time limit when becoming an admin, besides using the toggle functionality? Great app, by the way. Love the contribution to the community.

  5. predrag
    April 5, 2019 at 2:27 pm

    Where is the default 20 minute default amount stored, is there a plist controlling it?

    >Can I set Privileges.app to give me administrator rights for a defined amount of time?
    >Yes. You can use the Toggle Privileges option on the dock icon to get admin rights for a set amount of time (the default amount is 20 minutes.)

    • April 8, 2019 at 2:30 pm

      Thank you for your response, @predrag. I guess what I want to know is if I could manage those settings with MDM to force users to always have a time limit.

      • April 10, 2019 at 5:55 pm

        I don’t believe there is away to auto-demote other than using the toggle. However, you could install a LaunhDaemon alongside that can check every x minutes for elevated privileges and prompt the user if they still need admin. Or perhaps you could demote instead of asking. I don’t take credit for this but there is a nice detailed writeup on how to do this here… https://travellingtechguy.eu/sap-privileges-app/

      • April 11, 2019 at 12:23 pm

        Rick, that’s exactly what I was looking for. That travellingtechguy does amazing stuff. Thank you for pointing it out.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: