Deploying SAP Privileges Auto App with Privileges Checker

By Jonathan Connor

Learn how to deploy SAP Privileges alongside the Kandji Privileges Checker

We're excited to offer SAP Privileges as an Auto App! This open source tool for macOS allows users to easily elevate their privileges from standard to administrative only when needed - a security best practice.

However, the built-in functionality of Privileges only allows time-based rights expiration if they are first granted by right-clicking the Dock icon. We've released companion code to better enforce that timeout, even when the user escalates their privileges outside of the Dock (e.g. from launching the application fully).

Privileges, accompanied by our Privileges Checker audit + remediation scripts, ensures your users' rights return to standard after a set number of minutes, configurable via Configuration Profile or our installation script.

Add the SAP Privileges Auto App

Note: This Auto App deploys a Configuration Profile allowing Background Items for both SAP Privileges and Privileges Checker. This is to ensure core functionality for the add-on, and has no impact if Privileges Checker is not present.
  1. Click Library in the left-hand navigation bar.
  2. Click Add new in the upper right-hand corner.
  3. Type Privileges in the Search bar, or scroll down to the Auto App section and locate SAP Privileges.
  4. Click Add & Configure on the SAP Privileges item.
  5. Assign the Auto App to a test Blueprint.
  6. Select desired installation method and hit Save.
Note: Add your Auto App, Custom Script, and Custom Profile to the same Blueprint.

Add a Custom Script

  1. Click Library on the left-hand navigation bar.
  2. Click Add new in the upper right-hand corner.
  3. Click Custom Script from the General section, then Add & Configure.
WARNING: Once deployed, Privileges Checker will revoke rights for the logged-in user after the set timeout has expired.

Configure the Custom Script

  1. Give your custom script a Name.
  2. Assign your custom script to a test Blueprint.
  3. Select Run every 15 minutes as the Execution Frequency. (Alternatively: Run daily.)
  4. Paste the Audit Script from our support GitHub into the Audit Script text field.
  5. After clicking Add Remediation Script, paste the Install Script from our support GitHub into the Remediation Script text field.
  6. Set an integer value for MINUTES_TO_WAIT. This is the number of minutes an end user should be allowed admin rights once granted.
  7. Set a Boolean value for USE_PROFILE_TIMEOUT.
    1. Set to either True or False: Enforces a timeout in minutes from DockToggleTimeout key set in the Privileges configuration profile (see below).
    2. If the value is marked True but no profile is installed, or if the DockToggleTimeout key is not defined, the timeout will default to MINUTES_TO_WAIT. Otherwise, the configuration profile will override the locally set value MINUTES_TO_WAIT.
  8. Click Save.

WARNING: If you have the Demote user accounts to Standard Parameter enabled, we recommend disabling it on any Blueprints where Privileges is assigned.

Create a Custom Profile

Note: Profile creation steps are optional if you are setting the rights timeout via script.

Download Required Components

  • Download a tool like iMazing Profile Editor and use the SAP Privileges profile template under Available Application Domains.
    • Download iMazing Profile Editor and follow the instructions for installation and launch.
    • On the left side, under Available Application Domains, locate and click SAP Privileges.
    • Click Add Configuration Payload.
    • Enter a value for Dock Toggle Timeout.
    • Click the General section; populate required values for Name and Identifier.
    • Hit Command+S to save your profile.

Note: If Privileges is configured with the DockToggleTimeout payload, but Privileges Checker is not deployed, timed rights revocation will only occur if a user right-clicks the Privileges Dock icon and selects Toggle privileges.

Add a Custom Profile

  1. In the Kandji web app, click Library in the left-hand navigation bar.
  2. Click Add New in the upper right-hand corner.
  3. Click Custom Profile from the Add New window.

Configure the Custom Profile

  1. Give the profile a Name.
  2. Assign your custom profile to a test Blueprint.
  3. Set the Device Families to Mac.
  4. Upload the .mobileconfig you customized and saved above.
  5. Save your custom profile.

Technical details about Privileges Checker can be found on our GitHub. Learn More