Authorization Rights Management for Standard User Access
Authorization rights on macOS determine are a core part of the security model which determine who can and can’t access specific functions. For example,
system.preferences.datetime determines authentication required to modify Date & Time settings under System Preferences. A curious power user could cause a lot of harm changing authorization rights, and for the most should be left well alone. However, modifying authorization rights is particularly useful in granting standard users access to areas only admins can go by default. Other Mac admins, specifically Armin Briegel of Scripting OS X and Rich Trouton of Der Flounder, have already done a thorough job explaining the finer details. This post will provide a few practical tips and go over how to report on the state of specific authorization rights using Jamf Pro.
Most Mac users are used to clicking on the lock icon in the bottom left hand corner of a preference pane to authenticate before changing settings. Apple calls this preauthorization in the at this point very old Authorization Services Programming Guide.
Authentication is the act of verifying the identity of the user. A common misconception is that authorization and authentication are one and the same; however, authentication is only part of the authorization process. As discussed in Authorization, after the user is authenticated, the authorization process involves determining what rights or privileges that user has.
The distinction here is important. Authentication can be part of the authorization process, but doesn’t have to be. By using the
security command, authorization rights can easily be changed to allow a standard user to unlock a preference pane or for it to not be locked at all.
# authorizationdb write <right-name> [allow|deny|<rulename>] /usr/bin/security authorizationdb write system.preferences.datetime allow
- Allow - Permanently unlock the preference pane without requiring authentication.
- Deny - Permanently lock the preference pane.
- Rule - There a whole host of rules, but for simplicity sake only
authenticate-session-owner-or-adminis referenced here. It requires entering credentials to unlock the preference pane, but allows standard users to do so.
In the example above the Date & Time preference pane has been unlocked entirely. The authentication requirement has been removed. With
system.preferences.datetime set to
allow, any user on the system can modify the time, time zone, and other settings. In my environment this is particularly useful when batteries drain to zero, causing the clock to be incorrect. Users aren’t able to set the clock back to the correct time since they don’t have admin rights. A clock skew over five minutes prevents Macs from connecting to many enterprise wireless networks. Setting the authorization database to
allow removes the authentication requirement and puts control back into the hands of users. In that way organizations can operate with standard users while picking and choosing what additional rights to provide.
Dragon Systems Software maintains an authorization database reference which lists other available
system.preferences rights to be changed. Other common preference panes to modify include Printers & Scanners, which can be done with
system.preferences.printing. Thankfully, a fellow Mac admin, Matthew Warren, has a script available to easily modify a set list of authorization database settings all at once. Simply modify the rights list and right level as needed. In my environment I set
system.preferences.printing, and a few others to
allow. Play around with other settings as needed. Maybe you want to open up the Network or Time Machine or other preference pane.
Modifying the authorization database works well, but it resets back to default on major OS upgrade. For example, a Mac moving from Catalina to Big Sur will need to have the script run again to make sure settings are correct. In general, it is also be useful to have stateful information about something as fidgety as authorization rights. Jamf Pro admins can report on specific authorization rights using this extension attribute in my GitHub repo. Keep in mind only the listed rights will be reported on, not any which might have been changed. Make sure the list in the script which sets authorization rights matches the one in the extension attribute.
RIGHTS = [ "system.preferences", "system.preferences.datetime", "system.preferences.printing", ]
Once authorization rights inventory data is collected, smart groups can be report on Macs not in compliance and then be targeted through a policy. Run the modification script again for those Macs where authorization rights aren’t set correctly.
Admins reporting with other tools like MunkiReport can probably modify the extension attribute code to collect similar data. For those environments where standard accounts are still preferred, authorization rights can be a powerful addition to help enable users to rely less on IT for tasks typically requiring admin rights.