Guide to implement this

[gbica-hzo]

I deployed the application thru SimpleMDM, no custom plist file. Setup a standard user Logged in as the user Launched Privileges Requested permissions

Nothing happens. What do I need to configure it to work?

[MLBZ521]

Have you read the Wiki?

[gbica-hzo]

Yes, I read the Wiki. The only difference is I am deploying the app via MDM, and the said user is already a standard user. Do I need to make the user admin first before the account is usable? That's not in Wiki if that's the case.

[gbica-hzo]

In Wiki.. during install step 1 does not invoke because the app is deployed via MDM/Munki and logged on user is not admin step 4 Launch Privileges.app and click the Remove Privileges button. this does not trigger because logged on user is not admin step 5 Helper Tool prompt is not invoked

[grahampugh]

There is no need for the user to be admin before installing Privileges. Munki should be installing the app as root, so the user does not need to be admin. I use Jamf, but the process is the same, and I have no problems with this.

[gbica-hzo]

@grahampugh Have you had to complete step 5 manually? For some reason the app is not working, even though it's dead simple to install and run. Could it be the Helper Tool is not installed?

[rougegoat]

How are you building the installer? There is an AutoPkgr recipe that you should probably use to ensure everything works. Here is a writeup on how to use that.

I believe the developers are not planning to make a ready to go installer since that recipe is available.

[MLBZ521]

@gbica-hzo What @rougegoat said is what I was going to respond with.

Are you deploying Privileges.app that you downloaded from the releases on GitHub? If so, that is not sufficient enough to make it work. You could easily do this without AutoPkg, but that's just the "easy" way (assuming you have AutoPkg setup). You could also take the [pre|post]install scripts from the AutoPkg recipes and create a .pkg by hand (e.g. using munkipkg or similar).

The process described in the Wiki Installation page expects the current user to be an Admin. If it is not, then Privileges.app cannot be installed that way. So, you'll need to use another method (like the one mentioned above) to install Privileges.app.

[gbica-hzo]

@MLBZ521 and @rougegoat

SimpleMDM has Privileges in their own Munki instance. I selected it for deployment and it is installed on the targeted group.

Here is what I think the plist for the helper app.

[rougegoat]

Sounds like an issue with how SimpleMDM is packaging this rather than with the app itself.

[MLBZ521]

Can you confirm on a Mac that is not working that the following files exist?

• /Library/PrivilegedHelperTools/corp.sap.privileges.helper
• /Library/LaunchDaemons/corp.sap.privileges.helper.plist

Also ensure that the LaunchDaemon is running.

• launchctl print system/corp.sap.privileges.helper

[gbica-hzo]

I can confirm the files exist in both locations.

launchctl print system/corp.sap.privileges.helper command shows state = not running.

[MLBZ521]

Are there any extended attributes associated with these files?

• xattr /Library/PrivilegedHelperTools/corp.sap.privileges.helper
• xattr /Library/LaunchDaemons/corp.sap.privileges.helper.plist

[gbica-hzo]

xattr /Library/PrivilegedHelperTools/corp.sap.privileges.helper shows "com.apple.quarantine" (EDITED) xattr /Library/LaunchDaemons/corp.sap.privileges.helper.plist is empty

EDIT1: update, looks like that attribute is when the app is installed and not run yet. I uninstalled it and re-installed for testing. Once I ran the app it removed the quarantine flag

EDIT2: Getting errors when removing privileges

[MLBZ521]

Yeah, that quarantine bit will be a problem. So progress has been made, that's good.

You'll need to review the logs to figure out what is going on now. See the FAQ for accessing logging.