2024-11-21 22:29:8 Author: derflounder.wordpress.com(查看原文) 阅读量:5 收藏
Home > Mac administration, macOS, Privileges.app > Managing time limited admin rights with Privileges 2.x
Managing time limited admin rights with Privileges 2.x
One of the new features in Privileges 2.x is the unified ability to set and manage how long you want to grant admin rights, where running Privileges grants admin rights for a defined amount of time and then those admin rights are taken away. This ability had also existed in Privileges 1.x but it was exclusively tied to Privileges 1.x’s Toggle Privileges function, where in Privileges 2.x it is available no matter how Privileges is being run.
By default, Privileges 2.x will grant administrator rights for 20 minutes if not configured otherwise.
But what if you want to configure it otherwise? There are management options available for this. For more details, please see below the jump.
The relevant preference domain and key values are listed below:
- Preference domain: corp.sap.privileges
- Key: ExpirationInterval
- Value: Positive Integer
- Preference domain: corp.sap.privileges
- Key: ExpirationIntervalMax
- Value: Positive Integer
Note: In both cases, the positive integer values are defining time in minutes.
ExpirationInterval:
The ExpirationInterval key defines a set time in minutes after which administrator rights expire and the logged-in user reverts to using standard user rights. For example, setting ExpirationInterval to a value of 15 would set Privileges to allow admin rights for fifteen minutes. Once the fifteen minutes are up, the logged-in user reverts to using standard user rights.
In this example, the Administrator privileges expire setting in the Privileges settings would be set to the defined value and grayed out.
Note: Setting a value of 0 disables the timeout and allows the user to request administrator privileges which do not expire.
ExpirationIntervalMax:
The ExpirationIntervalMax key defines a set time in minutes after which administrator rights expire and the logged-in user reverts to using standard user rights. In general, this works like the ExpirationInterval key but it allows the logged-in user to choose a timeout value which is different as long it does not exceed the defined value.
For example, setting ExpirationIntervalMax to a value of 20 would set Privileges to allow admin rights for twenty minutes. However, the logged-in user can go into the Privileges settings and set a different time interval for the Administrator privileges expire setting as long as that time interval does not exceed the defined value of twenty minutes.
Note: In the event that both the ExpirationInterval and ExpirationIntervalMax settings are set, as of Privileges 2.0 the ExpirationInterval behavior will be applied. The Administrator privileges expire setting in the Privileges settings would be set to the defined value for ExpirationInterval and be grayed out.
The ExpirationInterval and ExpirationIntervalMax settings can be managed by configuration profiles. Please see below for example profiles.
ExpirationInterval:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1"> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>B3D51AB8-3307-4CBA-B5B7-0CB590D62797</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>B3D51AB8-3307-4CBA-B5B7-0CB590D62797</string> | |
| <key>PayloadDisplayName</key> | |
| <string>Configure Privileges Admin Rights Removal Time</string> | |
| <key>PayloadDescription</key> | |
| <string>Configure Privileges to remove admin rights after the defined time.</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>PayloadRemovalDisallowed</key> | |
| <true/> | |
| <key>PayloadScope</key> | |
| <string>System</string> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>PayloadDisplayName</key> | |
| <string>Custom Settings</string> | |
| <key>PayloadIdentifier</key> | |
| <string>FF229F24-BF06-4CA6-AD95-500A649893FE</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.ManagedClient.preferences</string> | |
| <key>PayloadUUID</key> | |
| <string>FF229F24-BF06-4CA6-AD95-500A649893FE</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadContent</key> | |
| <dict> | |
| <key>corp.sap.privileges</key> | |
| <dict> | |
| <key>Forced</key> | |
| <array> | |
| <dict> | |
| <key>mcx_preference_settings</key> | |
| <dict> | |
| <key>ExpirationInterval</key> | |
| <integer>15</integer> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </plist> |
ExpirationIntervalMax:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1"> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>71512933-DEB5-4628-BFD9-2BFFF90674E9</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>71512933-DEB5-4628-BFD9-2BFFF90674E9</string> | |
| <key>PayloadDisplayName</key> | |
| <string>Configure User Adjustable Privileges Admin Rights Removal Time</string> | |
| <key>PayloadDescription</key> | |
| <string>Configure Privileges to remove admin rights after the defined time with an option for the user to choose a shorter time.</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>PayloadRemovalDisallowed</key> | |
| <true/> | |
| <key>PayloadScope</key> | |
| <string>System</string> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>PayloadDisplayName</key> | |
| <string>Custom Settings</string> | |
| <key>PayloadIdentifier</key> | |
| <string>AD2F05BF-B01C-430F-A395-BEE34A6689C2</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.ManagedClient.preferences</string> | |
| <key>PayloadUUID</key> | |
| <string>AD2F05BF-B01C-430F-A395-BEE34A6689C2</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadContent</key> | |
| <dict> | |
| <key>corp.sap.privileges</key> | |
| <dict> | |
| <key>Forced</key> | |
| <array> | |
| <dict> | |
| <key>mcx_preference_settings</key> | |
| <dict> | |
| <key>ExpirationIntervalMax</key> | |
| <integer>20</integer> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </plist> |
如有侵权请联系:admin#unsafe.sh