UPDATE: A tool called authbuddy has just come to my attention that will managed this better & for 10.7+.
Way back in November 2010 I posted a script that would unlock each secure system preference pane for non-admins, (this can be found here).
With Lion came a more granular way to achieve the same, but rather then have a script for 10.6 & another for 10.7 i’ve amalgamated them with an OS check in the script.
So if the below script runs on 10.6.x it will untick the option System Preferences > Security > “Require Password To Unlock Each Secure Preference” & allow all users to unlock the below preference panes. If the OS is 10.7.x the below are allowed on a per pane level.
- Energy Saver
- Network
- Sharing
- Date & Time
- Startup Disk
- Time Machine
(Thanks to John for the Date & Time 10.7 line).
If i only want to allow clients to use Timemachine? is that possible?
Found it
Cool. 🙂
Doesn’t seem to work on 10.7.x
I see in the script it says if $OS == 10.6, but i don’t see anything if OS == 10.7
That’s correct… It’s using an if/else statement.
So if OS = 10.6.x do something, of 10.7.x do something else.
What errors are you seeing?
Actually I may be answering this the wrong way.
Once the script has run, the preference may look locked. Can a non-admin user then unlock with their credentials?
If so, then all is well.
everything except Date/Time seems unlocked (Startup Disk, Network, Sharing).
Progress!!
Do you need/want users to edit Date & Time? We stop our users from editing it via MCX.
I’ll amend with those changes later. It was left in the list as in 10.6 you could only enable those listed.
(I also updated the script as it wasn’t performing the OS checking properly).
The Date/Time was the main thing I was looking for, we have VPs that travel and need to change their timezones.
Ah-Ha! Figured out the culprit – there was no datetime entry in there, I used yours as a guideline and found the string in the authorization file and now it works! Thank you very much! You rock!
Cool & thanks. 🙂
Can you post the line so I can add it to the script?
I’m on leave currently & am not near a Mac.
Tbh, I forgot about the date & time pref pane. On 10.6 there was only one option with no granularity.
Also, is yours an AD environment? I am only ask as allowing users to change the time can lead to them changing it to outside of 5 mins of your DC’s. This (when back in the office), would stop them from being able to login.
I’ve seen this a few times where some office/airports clock is outside of 5 minutes of your DC , so the VP changes time & then cannot login. So my VP’s use the dashboard widget.
Date and Time setting:
# Unlock Date and Time
sudo /usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.datetime:group everyone’ /etc/authorization
We are in an AD environment with an internal time server, if the users change the time, it should sync the next time they are on the lan… in theory.
Ty. Uploaded your addition & added a credit. 🙂
In regards users having access.
Yep NTP server should amend time. BUT what if they change the server?
To change the time (& not the timezone), users will need to untick the “Automatically Update Time…” tick box. Doing so breaks the NTP sync meaning it will need to be adjusted manually.
I might be wrong, so please check. The above is all off the top of my head.
No errors specifically. It copies to the backup, but doesn’t seem to modify anything. The preferences never unlock. I tried pushing through casper and just running a sudo locally on the box.
I’ve added a second echo to the script..
Can you please run then test again?
Also, if you run the script locally in something like TextWrangler or just terminal does it work?
I copied to a new auth.sh file, chmod to +x, signed into regular user account, opened terminal and login admin, ran under sudo, and this is what returns
Given rights to the everyone group to unlock secure system preferences for OS …
but nothing is unlocked.
Greetings Ben Toms
Thank you so much for replying to my request for help on JAMF Nation.
So, I used the script you posted and ran as is on a 10.7.4 install. Most things appeared to work except Printing. I reset the security settings with the backup copy of the original authorization file and also commented out the settings in your script for preferences I wanted to keep the locked down (Accounts, Security, Sharing, Software Update, Startup Disk and Time Machine).
So, the amended script should open up to everyone the ability to make changes to (Accessibility, Date & Time, Energy Saver, Network, Parental Controls, Print & Scan)
I ran the script again (after a reboot) but Printing remains problematic.
Upon opening up the Print & Scan pane, a standard/mobile user is able to hit the “+” button to add a printer which actually then prompts you for authentication credentials of a user who is a member of the Print Administrators group, and I guess the user I was using was not as it fails, could not see anything is your script that sets rights for this print group. I can cancel this challenge and proceed to the next stage – Add Printer.
The default list of printers that are being picked up via Bonjour is shown, but I always install under IP/Line Printer Daemon -LPD anything else is always messy or plain broke. After adding the printer IP address and selected the driver the authentication challenge for the Print Administrator is given again, proceeding further provokes a CUPS authorisation error.
Let me see about adding the rights for the Print Administrator Group to your script and see if that resolves the issue with printing.
Hi Victor,
This script only unlocks the preference panes, as you’ve mentioned you then may need to go further to allow non admins to perform actions even with the pane unlocked.
To make users print admins, also try: https://macmule.com/2011/07/27/how-to-allow-all-users-to-add-or-remove-printers/
Let me know how it goes.
Hi there
Well thanks for the printing tip, this all seems to work now under 10.7. However, under 10.8 the release command for Networking appears to be ignored, the pane remains locked (even after a reboot)
Hi Victor,
Sorry i missed this comment.
I’m guessing Apple have again changed the keys for 10.8.. I’ll update with the 10.8 keys if/when I get the chance
Hi Victor,
Maybe this thread resolves the network permissions?
https://jamfnation.jamfsoftware.com/discussion.html?id=54#respond
Hi there,
I missed this thread in JAMF nation, thank you for the pointer.
Regards
No problem.
Please report if it’s working!
Oh, I forgot to reply,back, shameful – it worked!
Hi there… do you have an update of this script for 10.9?
I don’t.
This may work: http://www.dssw.co.uk/authbuddy/