Manage macOS admin privileges with the SAP – Privileges app

Limiting the use of macOS Admin rights with the open sources SAP – Privileges app.

Time to add some variety to the blog, so I’m starting a series of post which I’ll mix in between other more mainstream topics. I want to spend some time testing some hidden or maybe less known gems that will make your life as a macAdmin a bit easier.

And the honour for the first awesome little tool I’d like to discuss goes to: SAP – Privileges. I knew about the existence of this tool but never took the time to check it out…

So, let’s not waste any time and dive right into it!

Note: Little disclaimer from the SAP Github project page.

This project is 'as-is' with no support, no changes being made. You are welcome to make changes to improve it but we are not available for questions or support of any kind.

That said, there is no need to, as it just works as expected. Within the limitations of the design of course. Nevertheless, Rich Trouton was so friendly to point me to his own Privileges scripts and recipes to enhance the deployment! This made it even easier to use! Thanks Rich!

The basic idea behind the app is to ensure that your end users, who need to be Admin for specific tasks, don’t use their Admin account while performing day to day tasks which don’t require Admin privileges at all.

Continue reading “Manage macOS admin privileges with the SAP – Privileges app”

Jamf Connect and ADFS… incorrect password

Fixing the “incorrect password” issue with Jamf Connect Login and ADFS.

Update 19th of March: It came to my attention that I'm missing the ROPG key in the config below. Again, I'm not able to fully test as I don't have an ADFS test environment.  I update the config below, adding the OIDCROPGID key, please let me know if it works for you.

Update 22nd: I just build out an entire ADFS farm. AD + ADFS + WAP servers, and federated it with Azure. I can use Jamf Connect Login to authenticate and create the account, but setting the <OIDCNewPassword> key to <false/> to validate it over ROPG and use it as local password still does NOT work for me. Adding the OIDCROPGID key below, does not change anything. I must be missing a key ingredient on ADFS to make it work. And while I managed to build out the ADFS farm, I'm not an ADFS expert, hence I'm wondering if this missing ingredient / setting might also make the passthrough of ROPG via Azure work... no idea, back to square one.
        ------------------------------------------------------
        <key>OIDCROPGID</key>
        <string>f7364cb1-2b34-4g64-9c83-38b827cd0a9e</string>
        ------------------------------------------------------

I was initially going to dedicate this post to deploying Jamf Connect Login with Okta. I wrote that Nomad Login+ Okta post a few months ago, so I assumed it would be a walk in the party to update my workflow now that Nomad Login+ moved under the Jamf Connect umbrella. Well, I still don’t know why but I ran into some roadblocks which I have to analyse first. Probably just due to my own doing, overlooking things or whatever it might be, but I’ll postpone writing about it till I have rock solid info to share. Stay tuned!

Hence, this post is going to be Azure related again. But because Jamf Connect is still fairly new to all of us, we can’t share too much information right! Jamf Connect truly is a beautiful tool to streamline the way end users authenticate to their Macs, apps and services, ensuring they only need 1 password to rule it all. Have a look at my previous post about how to do a basic deployment. Quite straight forward, no rocket science at all!

However it seems that some people ran into issues in environments with a mix of Azure and ADFS.

Continue reading “Jamf Connect and ADFS… incorrect password”