Manage macOS admin privileges with the SAP – Privileges app

Limiting the use of macOS Admin rights with the open sources SAP – Privileges app.

Time to add some variety to the blog, so I’m starting a series of post which I’ll mix in between other more mainstream topics. I want to spend some time testing some hidden or maybe less known gems that will make your life as a macAdmin a bit easier.

And the honour for the first awesome little tool I’d like to discuss goes to: SAP – Privileges. I knew about the existence of this tool but never took the time to check it out…

So, let’s not waste any time and dive right into it!

Note: Little disclaimer from the SAP Github project page.

This project is 'as-is' with no support, no changes being made. You are welcome to make changes to improve it but we are not available for questions or support of any kind.

That said, there is no need to, as it just works as expected. Within the limitations of the design of course. Nevertheless, Rich Trouton was so friendly to point me to his own Privileges scripts and recipes to enhance the deployment! This made it even easier to use! Thanks Rich!

The basic idea behind the app is to ensure that your end users, who need to be Admin for specific tasks, don’t use their Admin account while performing day to day tasks which don’t require Admin privileges at all.

Continue reading “Manage macOS admin privileges with the SAP – Privileges app”

Mojave 10.14.2 and Secure Tokens, it works!

macOS 10.14.2 brings a welcome change to our Secure Token saga!

Well, kind off. Not everything but there are some welcome changes!

!!! ALREADY AN UPDATE to what I wrote here -  see comments !!!
Update 2: 9/12/18 - promote the non-admin Secure Token holder. see comments !!!

When I wrote my previous post on Secure Tokens, I mainly focused on enabling FileVault with Configuration Profiles on 10.14.1. The main issue was that if no account on the mac had a Secure Token, the profile would fail to enable FileVault. This due to the fact the first account logging into the Mac has to be a LOCAL Administrator.

This, amongst many other FileVault related issues, caused some concerns for many Mac Sys Admins. Additional bugs on 10.14.1 seemed to make the mayhem complete, leaving many of us in a state wondering if something was expected behaviour, or “a feature”… In all fairness, there were moments where I thought I finally understood how Secure Tokens work, and other moments where I just lost all hope…

Hence my intensive search for a recommended workflow to avoid as much of the issues as possible. I ended up testing almost every scenario with different types of accounts, on both 10.14.1 and 10.14.2.

I had to wait until 10.14.2 came out of beta, but now that 10.14.2 is released, let’s see what this early Filevault Santa bring us!

Continue reading “Mojave 10.14.2 and Secure Tokens, it works!”