Frequently Asked Questions
This is by design. The icon is green and displays a locked padlock when you are a standard user. It looks like this:
The icon is orange and displays an unlocked padlock icon when you are an administrator. It looks like this:
Yes. By default, administrator privileges are granted for 20 minutes (if not configured otherwise). However, if necessary, you can configure Privileges not to remove administrator privileges by setting the expiration interval to Never in the app's settings.
No. Privileges cannot guarantee that elevated permissions will be removed from the user account at all or on any specific schedule.
Privileges is an application for macOS which allows users to work as a standard user for day-to-day tasks, by providing a quick and easy way to request administrator rights. Working as standard user instead of an administrator adds another layer of security to your Mac and is considered a security best practice. We believe all users, including all developers, can benefit from using Privileges.
Local administrators on macOS have extensive capabilities to make changes to a Mac. This can include but is not limited to completely removing the Privileges application and its support files.
Organizations should consider this when designing their client management, device compliance, security hardening, and auditing policies.
Local administrators on macOS have extensive capabilities to make changes to a Mac. This can include but is not limited to:
- completely removing the Privileges application and its support files
- removing other client management software and configurations
- creating a new administrator account or modifying existing user accounts
- making changes, such as resetting date/time on the Mac, to try to trick Privileges
- making changes when started up in the Recovery environment
- erasing the Mac, reinstalling macOS, installing or upgrading to a different macOS version, or starting up from a different partition or disk
- an already-resident malicious process detecting the elevated rights and making its own changes
Organizations should consider this when designing client management, device compliance, security hardening, and auditing policies. Controls, mitigations, defense-in-depth, reporting, and auditing suitable to each organization’s environments and threat models are needed. This is true with or without the use of the Privileges application.
No. Privileges cannot undo other changes made by a user - or processes acting as the user - when that user has elevated rights. Privileges does not track any action done while the user has elevated permissions.
Organizations should consider this when designing client management, device compliance, security hardening, and auditing policies.
Can Privileges be installed and/or be run by users themselves? My organization does not deploy or use Privileges.
Yes, if users have administrator-level elevated rights already, they can install Privileges themselves via the installer package.
Once Privileges is present on a Mac, a local user can try to run it. If this is a concern, consider this when designing client management, device compliance, security hardening, and auditing policies.
No. Privileges is an application for macOS which allows users to work as a standard user for day-to-day tasks, by providing a quick and easy way to request administrator rights. It is meant for human users logged in to local macOS user accounts.
Privileges uses the system log for logging. To see all logs for Privileges in the Console app, you can filter
for processes that contain Privileges.
To see only the logging associated with changing admin rights in the Console app, you can filter for log messages
containing SAPCorp.
To access the same logs from the command line, the log command can be used. To see all logs for Privileges using the log command, the following command can be used:
log show --style syslog --predicate 'process BEGINSWITH "Privileges"'
To see only the logging associated with changing admin rights, the following command can be used:
log show --style syslog --predicate 'process == "PrivilegesDaemon" && eventMessage BEGINSWITH
"SAPCorp: U"'
I noticed that PrivilegesCLI 2.5 (and newer) supports the two undocumented arguments -e managed and -e suspend. What are they for?
Both are intended for use in our installer package. The -e suspend argument ensures that the system extension pauses during installation so that it does not interfere with the Privileges update. After installation is complete, the -e managed argument ensures that the system extension is enabled or disabled depending on the configuration on the MDM server. This guarantees that, in managed environments, the system extension will be enabled immediately after installation, even if no user is logged in.
Note
Use of the -e suspend argument is restricted (see the next question), but -e managed can be used without restrictions (e.g., in scripts).
No, because this argument cannot be used on its own. To prevent misuse, PrivilegesCLI first verifies that the parent process is named package_script_service and is a platform binary (a binary signed by Apple) when this argument is used. If so, PrivilegesCLI checks to see if exactly one installer package is among the files opened by package_script_service. If this is also the case, the package's signature is checked. Only after successfully completing these checks and confirming that the package is an original Privileges installer package, the system extension is set to the appropriate mode.
In this illustration you can get an overview of how the different app components of Privileges 2.5 (and newer) communicate with each other:
We give away the stickers at events and conferences. If you can't catch us at one, you can order your own Privileges sticker sheet directly here:
Important
We're not making any profit from this. You'll pay exactly what we pay for each sheet.