Endpoint Services, Munki, Deploying Privileges.app for Remote Support

This article describes how to use the SAP Privileges application in order to temporarily grant standard users administrative access on their Macs.

Systems

Munki Mac Endpoint Management

Intended Audience

University of Illinois IT Pros leveraging Munki Mac Endpoint Management

Actions

General Information

Important note: Privileges.app is a powerful tool, to be deployed judiciously and with care, and uninstalled when no longer needed.

Endpoint Services (EPS) has opted to make Privileges available in response to the demands of remote support during the COVID-19 pandemic. However, Privileges is not a service, and EPS does not support or endorse it; nor have we vetted it beyond the basic testing standards applied to other titles in the Munki service.

The free Privileges application by SAP can help in support situations when remote workers do not have administrator rights on their macOS device. The application uses a privileged helper tool to grant standard users administrator rights upon request, and will also revoke it upon request.

Please note: Privileges is supported on macOS 10.15 and below; it will install on, but not work with, macOS 11 (Big Sur).

Deploying Privileges.app

In a macOS support scenario where the remote user is temporarily in need of administrator rights, the IT Pro can take the following steps:

  • Add Privileges to the managed installs sections of the device's serial number Munki manifest.
  • Instruct the end user to run Managed Software Center and install Privileges.
  • Instruct the end user to launch /Applications/Privileges (or perform a Spotlight search), and when prompted, complete the request for administrator rights.
  • The end user is now an administrator on their Mac. 
    • You can confirm this by opening System Preferences - Users & Groups, selecting their account, and noting that the box to "Allow user to administer this computer" is now checked.

Removing Privileges.app

After the remote support task has been completed and the need for administrator access has passed, the IT Pro should do the following:

  • Instruct the end user to click on the Privileges icon in the Dock, and when prompted, complete the request to remove administrator rights. 
    • You can confirm this by opening System Preferences - Users & Groups, selecting their account, and confirming that the box to "Allow user to administer this computer" is now unchecked. (If System Preferences was already open, you may need to quit and reopen to refresh the displayed setting.)
    • If you skip this step, the end user will be left with administrator rights, which may be a violation of your departmental security policy.
  • Move Privileges to the managed uninstalls section of the Munki manifest.
  • Instruct the end user to run Managed Software Center and uninstall Privileges.
    • If you are unable to confirm the uninstallation via a screen-sharing session, view the device record in MunkiReport and check the Managed Installs status of Privileges.app.

Additional Resources

Visit GitHub for more information about the Privileges app.


Contact the EPS team




Keywords:eps mtm munki endpoint techs-eps-mtm remote support admin Mac macOS   Doc ID:104704
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2020-08-06 10:10 CSTUpdated:2020-11-30 16:22 CST
Sites:University of Illinois Technology Services
Feedback:  0   0