Using Privileges for Administrative Tasks on Mac

Overview

The Privileges App is a way to elevate to an administrative account on Macintoshes deployed with Jamf Connect / Zero Touch.

Previously, administrator user access for Macintosh users could only be implemented using a separate administrator user account and password. With Privileges, you are now able to use your OSU password to elevate your account to an administrator user. Privileges must be enabled for a user account, please submit a ticket to request this.

This article only applies to Macs that have been installed with the Zero Touch / Jamf Connect deployment process. For older / multi-user installs, you continue to use the second local admin account.

Contents

Installation

On your Macintosh the app will need to be installed for first time use: in Applications, open Self Service, called "Ohio State Application Self Service", and search for "privileges" and install. Note: to see the Privileges app, you must log in (lastname.# & OSU password) to Self Service using the Log In button as below:

Note: Installing Privileges does not activate admin rights, initial ASCTech activation is required, please submit a ticket.

Usage

For security, only elevate to admin when you need to and de-elevate from admin when not needed.

From the Graphical Interface

Click on the Privileges app, it will be green showing you do not have admin rights:

A pop up window will state that you are currently logged in as a standard user, press the Request privileges button to elevate your account to an administrator user. Enter a reason for your request and then your OSU password. (Please note, that this is a request to elevate to administrator, not a direct request to ASCTech.)

The icon will change to unlocked and yellow indicating you are an admin:

Every 30 minutes, Privileges will ask if you still need admin rights.

Command Line / Shell / SSH

Click the Privileges app to elevate and then launch a terminal as admin. Then use the sudo command to run individual commands as admin.

When you are finished with admin rights use the Privileges remove command, and then type exit to leave the admin command prompt.

Alternate CLI Commands / Remote SSH

If your non-mobile computer allows incoming SSH, you will not be able to click on the GUI icon.

Instead to elevate to admin type: /Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add and type your password. 

To remove admin rights type: /Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove  .

When you are finished with admin rights use the Privileges remove command, and then type exit to leave the admin command prompt.

Add the following to your .zshrc or .bashrc to add convenient aliases:

alias privadd='/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add'
alias privrem='/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove'
alias privstatus='/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --status'

What if you cannot sudo after elevating?

This should work immediately as of 11.2.1. However, if the current shell does not get placed into the admin group. There are two options:

  1. SSH to the machine again with a new login.
  2. Type su -l lastname.# to create a new shell in the terminal

Details

Article ID: 123769
Created
Wed 1/6/21 2:17 PM
Modified
Thu 12/7/23 1:22 PM

Related Articles (2)

Using Make Me Admin for Administrative Tasks on Windows
Knowledge base on how to get access/utilize Make Me Admin (MMA) on ASC Windows devices.
Using Your Zero Touch Mac
Zero Touch imaging is the current way ASCTech delivers single user Macs. It is a more streamlined process than prior imaging methods.