Chapter 22: Privilege Elevation with SAP Privileges¶

Learning Objectives¶

By the end of this chapter, you will be able to:

• Deploy and configure SAP Privileges for time-limited administrative rights.
• Enable and configure anti-tampering system extension (Privileges 2.5+) for enhanced security.
• Integrate Privileges with MDM or Jamf for managed self-service elevation.
• Automate elevation and demotion with scripts and LaunchAgents.
• Implement least-privilege workflows that maintain user autonomy.

Introduction¶

Privilege management is a cornerstone of macOS fleet security. Rather than granting full-time admin rights, organizations can use macOS Enterprise Privileges (formerly SAP Privileges) to empower users with temporary elevation. This open-source tool developed by SAP provides time-limited admin rights with customizable expiration intervals and seamless MDM integration.

Privileges continues to evolve with new security features. Version 2.5 introduced an anti-tampering system extension that prevents unauthorized modification, deactivation, or removal of Privileges components, making it even more suitable for high-security enterprise environments.

This chapter provides practical examples and managed configuration tips to build a secure and user-friendly elevation workflow using Privileges, including the latest security enhancements.

Enterprise Privilege Management Context¶

Traditional approaches to macOS administration often grant users full-time administrator privileges to enable software installation, system configuration, and troubleshooting. However, this creates significant security risks: users with persistent admin rights can install unauthorized software, modify security settings, bypass security controls, and create entry points for attackers.

Security Risks of Persistent Admin Rights:

• Attack Surface Expansion: Admin users can install malicious software or bypass security controls
• Privilege Escalation: Compromised admin accounts provide attackers with full system access
• Compliance Violations: Persistent admin rights often violate security frameworks requiring least privilege
• Audit Challenges: Difficulty tracking which admin actions were legitimate vs. malicious

Least Privilege Benefits:

• Reduced Attack Surface: Users operate with minimal privileges by default
• Just-in-Time Access: Admin rights granted only when needed for specific tasks
• Audit Trail: All privilege elevation events logged with reason codes
• Compliance Alignment: Meets requirements for least privilege in security frameworks (NIST, CIS)

Business Drivers:

• Security Posture: Improve overall security posture by limiting admin access
• Compliance Requirements: Meet regulatory requirements for privilege management
• Risk Mitigation: Reduce risk from compromised user accounts
• Operational Efficiency: Balance security with user productivity needs

Security Considerations¶

Before deploying Privileges, understand the security implications and design your privilege policy accordingly.

Threat Model and Risk Assessment¶

Threat Scenarios:

• Compromised User Accounts: Attackers gaining access to standard user accounts have limited impact
• Privilege Escalation: Preventing attackers from easily gaining admin access
• Insider Threats: Limiting damage from malicious insiders
• Malware Execution: Reducing ability to install or execute malicious software

Risk Factors:

• Elevation Frequency: How often users need admin rights (affects policy design)
• Time Windows: Duration of elevated privileges (shorter is more secure)
• Approval Process: Self-service vs. approval-based elevation (affects security and UX)
• Audit Requirements: Compliance needs for privilege elevation logging

Policy Design Principles¶

Principle of Least Privilege:

• Grant minimum privileges necessary for task completion
• Time-bound access with automatic expiration
• Scope-limited access where possible (specific commands vs. full admin)

Just-in-Time Access:

• Elevate privileges only when needed
• Immediate revocation after task completion
• No persistent admin rights between sessions

Audit and Accountability:

• Log all privilege elevation events
• Require reason codes for elevation requests
• Track privilege usage patterns for security analysis

Configuration Security Best Practices¶

Time Limits:

• Maximum elevation duration: 15-30 minutes for most tasks
• Shorter windows for high-risk environments
• Automatic expiration regardless of user action

Enforcement Mechanisms:

• EnforcePrivileges: Prevents manual admin group addition
• RevokePrivilegesAtLogin: Ensures no persistent rights
• RevokePrivilegesAfterSystemTimeChange: Prevents time manipulation attacks
• EnableSystemExtension (Privileges 2.5+): Anti-tampering system extension prevents modification, deactivation, or removal of Privileges components

Access Controls:

• LimitToGroup: Restrict to specific AD/LDAP groups (requires domain-joined devices)
• LimitToUser: Limit to approved individuals (comma-separated list)

22.1 Designing Your Privilege Policy¶

Before deploying Privileges, design a privilege elevation policy that balances security requirements with user productivity.

Policy Objectives¶

Define Your Goals:

• What tasks require admin rights? (software installation, system configuration, troubleshooting)
• What's your risk tolerance for privilege elevation?
• What compliance requirements drive privilege management needs?
• How will you balance security with user productivity?

User Categories and Privilege Levels¶

Standard Users (Majority):

• No persistent admin rights
• Self-service elevation for common tasks (15-30 minute windows)
• Reason codes required for audit trail
• Automatic expiration and revocation

Power Users / IT Staff:

• May require longer elevation windows (up to 1-2 hours)
• Same audit requirements as standard users
• Consider role-based access controls

Developers:

• May need more frequent elevation
• Consider transitive allowlisting in combination with Santa
• Balance development needs with security

Executives:

• Custom policies based on business needs
• May require expedited approval processes
• Document business justifications for exceptions

Elevation Scenarios and Policies¶

Common Elevation Scenarios:

1. Software Installation:
2. Elevation window: 15-30 minutes
3. Self-service with reason code

4. Monitor for unusual patterns

5. System Configuration:

6. Elevation window: 15-30 minutes
7. May require approval for sensitive changes

8. Document configuration changes

9. Troubleshooting:

10. Elevation window: 30-60 minutes
11. May require help desk approval

12. Track troubleshooting activities

13. One-Time Tasks:

14. Minimal elevation window (5-15 minutes)
15. Self-service with reason
16. Immediate revocation after task

Approval Workflows¶

Self-Service (Recommended for Most Cases):

• Users request elevation via Privileges app
• Provide reason code (required)
• Automatic approval if within policy limits
• Elevation expires automatically

Approval-Based (High-Risk Scenarios):

• User requests elevation
• Help desk or manager approval required
• Approval workflow via ticketing system
• Time-bound approval window

Exception Handling¶

Temporary Exceptions:

• Extended elevation windows for specific projects
• Requires manager/security approval
• Document business justification
• Set expiration date for exception

Permanent Exceptions:

• Very rare, requires CISO/executive approval
• Regular review (quarterly) for continued validity
• Enhanced monitoring for excepted users
• Document in security policy

22.2 Overview¶

macOS Enterprise Privileges (commonly referred to as SAP Privileges or simply "Privileges") is an open-source menubar application developed by SAP that enables users to temporarily promote themselves to administrator privileges with IT-defined limits. It fits perfectly within macOS environments enforcing least privilege—particularly in enterprises, education, and regulated industries.

When properly configured, Privileges allows standard users to:

• Elevate to admin temporarily with configurable timeouts.
• Automatically demote after a fixed time, logout, or system time changes.
• Provide reason codes for privilege requests (audit trail).
• Log all privilege changes for compliance and auditing.
• Integrate seamlessly with MDM or Jamf for centralized policy control.
• Be limited to specific groups or users via configuration profiles.
• Be protected by anti-tampering system extension (Privileges 2.5+) to prevent modification, deactivation, or removal.

22.3 Installation¶

Installing via Homebrew (Testing/Development)¶

For testing or individual deployment, install via Homebrew:

brew install --cask privileges

Installing via Signed Package (Production)¶

For managed environments, download and deploy the signed installer package from the official SAP repository:

# Download latest release
curl -L https://github.com/SAP/macOS-enterprise-privileges/releases/latest/download/Privileges.pkg -o /tmp/Privileges.pkg

# Install
sudo installer -pkg /tmp/Privileges.pkg -target /

Post-Installation Verification¶

After installation, verify Privileges is running:

# Check if Privileges.app is installed
ls /Applications/Privileges.app

# Launch the application to check for system extension approval
open /Applications/Privileges.app

Important: On first launch, macOS will prompt for system extension approval. Deploy a PPPC (Privacy Preferences Policy Control) payload via MDM to pre-approve the system extension and avoid user prompts.

PPPC Configuration for Privileges¶

Create a PPPC payload to grant necessary permissions:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.TCC.configuration.profile</string>
      <key>PayloadIdentifier</key>
      <string>com.example.privileges.pppc</string>
      <key>PayloadUUID</key>
      <string>22222222-2222-2222-2222-222222222222</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>Services</key>
      <array>
        <string>SystemPolicyAllFiles</string>
        <string>SystemPolicySysAdminFiles</string>
      </array>
      <key>Identifier</key>
      <string>corp.sap.privileges</string>
      <key>CodeRequirement</key>
      <string>identifier "corp.sap.privileges" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13]</string>
      <key>StaticCode</key>
      <integer>0</integer>
      <key>Comment</key>
      <string>Grant Privileges full disk access</string>
      <key>Allowed</key>
      <true/>
    </dict>
  </array>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.example.privileges.pppc.profile</string>
  <key>PayloadUUID</key>
  <string>33333333-3333-3333-3333-333333333333</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Privileges PPPC</string>
</dict>
</plist>

For comprehensive installation documentation, visit the Privileges Wiki.

Anti-Tampering System Extension (Privileges 2.5+)¶

Privileges 2.5 introduces a powerful system extension designed to prevent unauthorized modifications, deactivation, or uninstallation of Privileges and its components. This is a critical security feature for enterprise deployments where tampering protection is essential.

Protection Capabilities:

• Prevents Privileges from being renamed, copied, or deleted
• Blocks unloading of Privileges launchd plists with launchctl unload or launchctl bootout
• Prevents deactivation or removal of Privileges components
• Protects against user attempts to bypass privilege management controls

Enabling via Command Line:

# Enable the anti-tampering system extension
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --extension

# Or using short form
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI -e

# Disable the system extension (use with caution)
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --no-extension

Enabling via Configuration Profile:

Add the EnableSystemExtension key to your Privileges configuration profile:

<key>EnableSystemExtension</key>
<true/>

Complete Configuration Profile Example with Anti-Tampering:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.ManagedClient.preferences</string>
      <key>PayloadIdentifier</key>
      <string>corp.sap.privileges</string>
      <key>PayloadUUID</key>
      <string>00000000-0000-0000-0000-000000000000</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadDisplayName</key>
      <string>Privileges Configuration</string>

      <key>Forced</key>
      <array>
        <dict>
          <key>mcx_preference_settings</key>
          <dict>
            <!-- Anti-tampering protection -->
            <key>EnableSystemExtension</key>
            <true/>

            <!-- Time-limited elevation -->
            <key>ExpirationIntervalMax</key>
            <integer>30</integer>

            <!-- Security settings -->
            <key>EnforcePrivileges</key>
            <true/>
            <key>RevokePrivilegesAtLogin</key>
            <true/>
          </dict>
        </dict>
      </array>
    </dict>
  </array>
  <!-- Profile metadata... -->
</dict>
</plist>

Important Considerations:

• The system extension must be approved via PPPC profile (same as the main Privileges system extension)
• Once enabled, Privileges becomes significantly more resistant to tampering
• Consider enabling in high-security environments where protection against bypass attempts is critical
• Test thoroughly before production deployment as disabling requires explicit action
• The extension works in conjunction with other Privileges security features for defense-in-depth
• Version requirement: Privileges 2.5 or later (currently in public beta as of November 2025)

Verification:

• Check extension status: systemextensionsctl list | grep -i privileges
• Verify protection: Attempt to rename or delete Privileges.app (should be blocked)
• Test launchd protection: Attempt launchctl unload (should be blocked)

Additional Resources:

• For more information on the anti-tampering feature, see the Privileges 2.5 Public Beta announcement
• Review the official Privileges Wiki for complete documentation

Note: The anti-tampering system extension is available in Privileges 2.5 and later. For earlier versions, rely on other security controls such as EnforcePrivileges and MDM restrictions.

22.4 Configuration via Managed Preferences¶

Preference Domain¶

The managed preferences domain is:

corp.sap.privileges

Essential Configuration Keys¶

Key configuration options include:

• ExpirationInterval: Fixed time interval (minutes) before privileges expire. Set to 0 to disable timeout.
• ExpirationIntervalMax: Maximum allowed interval (minutes) users can select. Recommended over fixed intervals.
• MaxIntervalInitial: Initial timeout (minutes) if user hasn't set a preference yet
• EnforcePrivileges: Force demotion even if user manually added themselves to admin group. Prevents bypass attempts.
• RequireAuthentication: Require user password/Touch ID before elevation. Adds security layer.
• RequireBiometricAuthentication: Force Touch ID or Face ID for elevation
• RevokePrivilegesAtLogin: Automatically revoke at login/reboot. Prevents persistent admin rights.
• RevokePrivilegesAfterSystemTimeChange: Demote if system clock is tampered. Prevents time manipulation.
• LimitToGroup: Restrict Privileges to specific AD/LDAP group (e.g., corp\helpdesk)
• LimitToUser: Restrict Privileges to specific users (comma-separated)
• ReasonRequired: Require users to provide reason for elevation
• ReasonMinLength/ReasonMaxLength: Control reason text length
• RemoteLogging: Forward events to syslog server for centralized monitoring
• EnableSystemExtension (Privileges 2.5+): Enable anti-tampering system extension to prevent modification, deactivation, or removal of Privileges

For a complete list of all configuration keys, see the Managing Privileges Wiki.

Configuration Profile Example¶

Deploy this via MDM or include in a .mobileconfig file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.ManagedClient.preferences</string>
      <key>PayloadIdentifier</key>
      <string>corp.sap.privileges</string>
      <key>PayloadUUID</key>
      <string>00000000-0000-0000-0000-000000000000</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadDisplayName</key>
      <string>Privileges Configuration</string>
      <key>PayloadDescription</key>
      <string>Configure Privileges time-limited admin rights</string>

      <!-- Time-limited elevation (minutes). Set 0 to disable timeout -->
      <key>Forced</key>
      <array>
        <dict>
          <key>mcx_preference_settings</key>
          <dict>
            <key>ExpirationInterval</key>
            <integer>15</integer>

            <!-- Maximum user-selectable interval (minutes). Recommended over fixed interval -->
            <key>ExpirationIntervalMax</key>
            <integer>30</integer>

            <!-- Revoke privileges when user logs out or restarts -->
            <key>RevokePrivilegesAtLogin</key>
            <true/>

            <!-- Optional: require reason for elevation -->
            <key>ReasonRequired</key>
            <true/>
            <key>ReasonMinLength</key>
            <integer>10</integer>

            <!-- Custom help URL -->
            <key>HelpButtonCustomURL</key>
            <string>https://intranet.example.com/help/privileges</string>
          </dict>
        </dict>
      </array>
    </dict>
  </array>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.example.privileges.profile</string>
  <key>PayloadUUID</key>
  <string>11111111-1111-1111-1111-111111111111</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Privileges Configuration</string>
  <key>PayloadDescription</key>
  <string>Configures time-limited admin privileges</string>
  <key>PayloadOrganization</key>
  <string>Example Corp</string>
</dict>
</plist>

Configuration Notes:

• Use ExpirationIntervalMax instead of ExpirationInterval for better user experience—allows users to choose their own interval up to the maximum.
• RevokePrivilegesAtLogin ensures no user retains admin rights across sessions.
• ReasonRequired creates an audit trail of why privilege elevation was requested.
• Combine this configuration with a PPPC payload granting Full Disk Access to Privileges for proper script execution and logging.
• For Jamf users, download the JSON Schema manifest from the Managing Privileges Wiki to create configurations in Jamf Pro.

22.5 Command-Line Interface (PrivilegesCLI)¶

The command-line utility allows scripting and automation of privilege changes. It is included inside the app bundle:

# Check current privilege status
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --status

# Request admin rights
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add

# Remove admin rights and return to standard user
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove

# Enable anti-tampering system extension (Privileges 2.5+)
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --extension
# or short form:
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI -e

# Disable anti-tampering system extension (use with caution)
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --no-extension

To make the CLI globally available (use with caution in managed environments):

sudo bash -c 'echo "/Applications/Privileges.app/Contents/Resources" > /etc/paths.d/PrivilegesCLI'

Afterward, you can invoke it simply as PrivilegesCLI. However, for managed environments, explicitly reference the full path in scripts for reliability.

Automating Elevation and Demotion¶

A simple Bash automation script with error handling:

#!/bin/bash
set -euo pipefail

# Full path to avoid PATH issues
PRIVILEGES_CLI="/Applications/Privileges.app/Contents/Resources/PrivilegesCLI"

# Check if user is already admin
if $PRIVILEGES_CLI --status | grep -q "admin"; then
    echo "User already has admin rights"
    exit 0
fi

# Request admin rights
$PRIVILEGES_CLI --add

# Wait 15 minutes (900 seconds)
sleep 900

# Remove admin rights
$PRIVILEGES_CLI --remove

# Log the automation
echo "$(date): Admin rights granted and auto-revoked after 15 minutes" >> ~/Library/Logs/Privileges.log

This grants admin rights for 15 minutes (900 seconds) and then automatically revokes them. Note that this approach is less secure than using configuration profiles with ExpirationInterval or ExpirationIntervalMax, as scripts can be terminated.

22.6 Integration with MDM and Jamf¶

MDM systems like Jamf can integrate SAP Privileges through Self Service or policy scripts.

Example Jamf script:

#!/bin/bash
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add
osascript -e 'display notification "Temporary admin rights granted for 15 minutes" with title "Privileges"'
sleep 900
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove
osascript -e 'display notification "Admin rights revoked" with title "Privileges"'

Best practices:

• Notify the user when elevation is granted or revoked.
• Enforce limits via configuration profiles rather than script timers alone.
• Log all actions for auditability.

22.7 Automation with LaunchAgents¶

You can automate demotion at login by creating a LaunchAgent:

cat <<EOF | sudo tee /Library/LaunchAgents/com.example.demoteatlogin.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.example.demoteatlogin</string>
  <key>ProgramArguments</key>
  <array>
    <string>/Applications/Privileges.app/Contents/Resources/PrivilegesCLI</string>
    <string>--remove</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>
EOF

Load it:

sudo launchctl load -w /Library/LaunchAgents/com.example.demoteatlogin.plist

This ensures any user is reverted to standard privileges upon login.

22.8 Auditing and Logging¶

Privileges maintains comprehensive local logging and supports remote logging via syslog.

Local Logging¶

Privileges maintains a local log file:

~/Library/Logs/Privileges.log

For enterprise monitoring, forward this log to your SIEM (e.g., Splunk, Elastic, or Sentinel). Example collection snippet:

tail -F ~/Library/Logs/Privileges.log | logger -t Privileges

Remote Logging via Syslog¶

For centralized logging, configure remote syslog in your configuration profile:

<key>RemoteLogging</key>
<dict>
  <key>ServerAddress</key>
  <string>syslog.example.com</string>
  <key>ServerPort</key>
  <integer>514</integer>
  <key>UseTLS</key>
  <true/>
  <key>LogFacility</key>
  <integer>4</integer>
  <key>LogSeverity</key>
  <integer>6</integer>
</dict>

This forwards Privileges events to your centralized logging infrastructure for compliance and security monitoring.

Remote Logging Configuration in Profile¶

Here's a complete example showing RemoteLogging in the profile structure:

<key>RemoteLogging</key>
<dict>
  <key>ServerAddress</key>
  <string>syslog.example.com</string>
  <key>ServerPort</key>
  <integer>514</integer>
  <key>UseTLS</key>
  <true/>
  <key>TLSIdentity</key>
  <string>CN=syslog.example.com</string>
  <key>LogFacility</key>
  <integer>4</integer>
  <key>LogSeverity</key>
  <integer>6</integer>
  <key>MaximumMessageSize</key>
  <integer>480</integer>
</dict>

Monitoring Admin Access¶

Combine with Jamf extension attributes, osquery queries, or endpoint detection tools to track admin group membership and privilege elevation events.

Example osquery Query to Monitor Admin Access¶

SELECT * FROM groups WHERE groupname = 'admin';

This query can be scheduled to track when users are added to or removed from the admin group.

Example Jamf Extension Attribute for Compliance¶

#!/bin/bash
# Check if user is in admin group
if /usr/bin/dscl . -read /Groups/admin GroupMembership | grep -q "$(whoami)"; then
    echo "<result>Has Admin</result>"
else
    echo "<result>Standard User</result>"
fi

This extension attribute reports admin status back to Jamf for compliance dashboards.

Compliance and Audit Requirements¶

Regulatory Compliance:

• NIST 800-53: Access Control (AC) family requires least privilege and audit logging
• CIS Benchmarks: Recommend removing users from admin group, implement privilege elevation
• PCI-DSS: Requires least privilege and audit trails for privileged access
• HIPAA: Requires access controls and audit logging for administrative access

Audit Trail Components:

• User identity (who requested elevation)
• Timestamp (when elevation occurred)
• Duration (how long privileges were active)
• Reason code (why elevation was needed)
• Method (self-service vs. approved request)
• Outcome (successful elevation, expiration, revocation)

SIEM Integration:

• Forward Privileges logs to SIEM for centralized analysis
• Correlate with other security events (login, file access, network activity)
• Alert on suspicious privilege elevation patterns
• Generate compliance reports from centralized logs

Compliance Reporting:

• Monthly reports showing privilege elevation frequency by user
• Exception reports for extended or permanent exceptions
• Audit reports for compliance reviews
• Trend analysis showing privilege usage patterns

Advanced Auditing and Analysis¶

Pattern Detection:

• Identify users with unusually frequent elevation requests
• Detect privilege elevation outside normal business hours
• Flag users with extended elevation durations
• Alert on privilege elevation from unusual locations

Example SIEM Queries (Splunk):

# Privilege elevation frequency by user
index=privileges event_type="privilege_granted" | 
  stats count by user | 
  sort -count

# Elevations outside business hours
index=privileges event_type="privilege_granted" | 
  eval hour=strftime(_time, "%H") | 
  where hour < 8 OR hour > 18 | 
  stats count by user, hour

# Extended elevation durations
index=privileges event_type="privilege_revoked" | 
  eval duration=revoke_time - grant_time | 
  where duration > 3600 | 
  stats avg(duration) as avg_duration, max(duration) as max_duration by user

22.9 Restricting Access with Groups or Users¶

Privileges provides built-in configuration options to restrict which users can elevate privileges. This is particularly useful in enterprise environments where you want to limit privilege elevation to authorized users or groups.

Note: Many enterprises do not have their macOS devices domain-joined to Active Directory or LDAP. In these environments, you can still use Privileges effectively with local user restrictions or by managing access through MDM-based configuration profiles.

Restricting by User¶

The LimitToUser configuration key allows you to specify individual users who can use Privileges. This is useful for environments without directory services.

Configuration Example:

<key>LimitToUser</key>
<string>jane.doe,john.smith</string>

Multiple users can be specified as a comma-separated list.

Restricting by AD/LDAP Group¶

If your macOS devices are bound to Active Directory or LDAP, you can use the LimitToGroup configuration key to restrict Privileges to specific directory groups.

Configuration Example:

<key>LimitToGroup</key>
<string>DOMAIN\PrivilegedUsers</string>

Important Considerations:

• Requires macOS devices to be bound to Active Directory or LDAP directory
• Group membership is checked at runtime when users attempt to elevate privileges
• Group name format must match your directory's naming convention (e.g., DOMAIN\GroupName or GroupName@domain.com)
• If a user is not in the specified group, Privileges will not allow privilege elevation

Configuration Profile Example with Group Restriction:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.ManagedClient.preferences</string>
      <key>PayloadIdentifier</key>
      <string>corp.sap.privileges</string>
      <key>PayloadUUID</key>
      <string>00000000-0000-0000-0000-000000000000</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadEnabled</key>
      <true/>

      <key>Forced</key>
      <array>
        <dict>
          <key>mcx_preference_settings</key>
          <dict>
            <!-- Restrict to AD/LDAP group (requires domain binding) -->
            <key>LimitToGroup</key>
            <string>DOMAIN\PrivilegedUsers</string>

            <!-- Alternative: Restrict to specific users (comma-separated) -->
            <!-- <key>LimitToUser</key>
            <string>jane.doe,john.smith</string> -->

            <!-- Other Privileges configuration options -->
            <key>ExpirationIntervalMax</key>
            <integer>30</integer>
            <key>RevokePrivilegesAtLogin</key>
            <true/>
          </dict>
        </dict>
      </array>
    </dict>
  </array>
  <!-- Profile metadata... -->
</dict>
</plist>

Deployment Considerations¶

Non-Domain-Joined Environments:

• Use LimitToUser with comma-separated local usernames
• Update configuration profiles as users change roles
• Manage access through MDM-based user group assignments
• Consider using local macOS groups (requires local directory service configuration)

Domain-Joined Environments:

• Use LimitToGroup with AD/LDAP groups for centralized management
• Group membership changes automatically reflect without updating profiles
• Leverage existing directory service group structures
• Maintain consistency with other enterprise access controls

Troubleshooting Group/User Restrictions¶

User Cannot Elevate Privileges:

Diagnosis:

# Check if LimitToGroup or LimitToUser is configured
defaults read /Library/Managed\ Preferences/*/corp.sap.privileges.plist | grep -i "LimitTo"

# For domain-joined systems, verify group membership
dscl /Search -read /Groups/admin GroupMembership
groups "$(whoami)"

# Check directory binding status
dsconfigad -show

Common Issues:

• User not in specified group or user list
• Directory binding not active (for LimitToGroup)
• Group name format incorrect (check domain format)
• Configuration profile not applied correctly

Solutions:

• Verify user is in the specified group or user list
• For domain-joined systems: Check directory binding status and group membership
• Verify group name format matches directory conventions
• Check configuration profile application and refresh if needed

For complete documentation on all configuration keys, including LimitToGroup and LimitToUser, refer to the official Privileges Wiki - Managing Privileges.

22.10 Comprehensive Troubleshooting¶

This section addresses common issues encountered when deploying Privileges in enterprise environments.

Installation and Configuration Issues¶

System Extension Not Activating:

Symptom: Privileges app launches but system extension not active

Diagnosis:

# Check system extension status
systemextensionsctl list | grep -i privileges

# Check for approval prompts
log show --predicate 'subsystem == "com.apple.systemextensions"' --last 1h

Solutions:

• Deploy PPPC profile for system extension approval
• Verify device is supervised/managed
• Manual approval: System Settings → Privacy & Security → System Extensions
• Restart device if extension stuck in pending

Configuration Profile Not Applying:

Symptom: Privileges not honoring configured settings (timeouts, restrictions)

Diagnosis:

# Check if profile is installed
profiles -P | grep -i privileges

# Verify profile payload
profiles -P -o stdout-xml | grep -A 30 "corp.sap.privileges"

# Check managed preferences
defaults read /Library/Managed\ Preferences/*/corp.sap.privileges.plist 2>/dev/null

Solutions:

• Verify profile scope in MDM console
• Check for profile conflicts
• Force profile refresh: sudo profiles -N
• Verify preference domain matches: corp.sap.privileges

Privilege Elevation Issues¶

User Cannot Elevate Privileges:

Symptom: Privileges app shows error or user cannot request admin rights

Diagnosis:

# Check current user's admin status
dscl . -read /Groups/admin GroupMembership

# Check Privileges configuration
defaults read /Library/Managed\ Preferences/*/corp.sap.privileges.plist

# Check if user is in restricted group
dscl . -read /Groups/admin GroupMembership | grep "$(whoami)"

Common Causes:

• User already has persistent admin rights (conflicts with Privileges)
• User not in authorized group (if LimitToGroup configured)
• Configuration profile restricts access
• System extension not active

Solutions:

• Remove persistent admin rights: sudo dseditgroup -o edit -d username -t user admin
• Add user to authorized group if using group restrictions
• Verify configuration profile allows self-service elevation
• Ensure system extension is activated

Privileges Not Expiring:

Symptom: Admin rights remain after expiration time

Diagnosis:

# Check Privileges daemon status
launchctl list | grep -i privileges

# Check configuration
defaults read /Library/Managed\ Preferences/*/corp.sap.privileges.plist | grep -i expiration

# Verify daemon is running
ps aux | grep -i "[P]rivileges"

Solutions:

• Verify ExpirationInterval or ExpirationIntervalMax is configured
• Check EnforcePrivileges is enabled to prevent manual admin group addition
• Restart Privileges daemon: killall Privileges (will restart automatically)
• Verify configuration profile is applied correctly

Integration Issues¶

MDM Integration Failures:

Symptom: Configuration profiles not deploying or updating

Solutions:

• Verify MDM scope and device group membership
• Check for profile conflicts in MDM console
• Force profile refresh on device
• Verify profile format is correct

Group/User Restriction Issues:

Symptom: Group-based or user-based restrictions not working

Diagnosis:

# Check if LimitToGroup or LimitToUser is configured
defaults read /Library/Managed\ Preferences/*/corp.sap.privileges.plist | grep -i "LimitTo"

# For domain-joined systems, verify group membership
groups "$(whoami)"

# Check directory binding status (for LimitToGroup)
dsconfigad -show

# Verify AD/LDAP connection
dscl /Search -read /Users/$(whoami) | grep -i "distinguishedname\|memberof"

Solutions:

• Verify user is in the specified group or user list
• For domain-joined systems: Check directory binding status (dsconfigad -show)
• Verify group name format matches directory conventions (e.g., DOMAIN\GroupName)
• Check configuration profile is applied: profiles -P | grep -i privileges
• Test group membership resolution: groups "$(whoami)"

Logging and Monitoring Issues¶

Logs Not Appearing:

Symptom: No entries in Privileges.log or syslog

Diagnosis:

# Check log file location
ls -la ~/Library/Logs/Privileges.log

# Check log file permissions
ls -la /var/log/Privileges.log 2>/dev/null

# Test logging manually
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --status

Solutions:

• Verify log file path in configuration
• Check file permissions (user must be able to write)
• Ensure Privileges daemon is running
• Test with verbose logging enabled

Remote Logging Not Working:

Symptom: Events not forwarding to syslog server

Diagnosis:

# Test syslog connectivity
logger -t Privileges "Test message"
# Check if message reaches syslog server

# Verify remote logging configuration
defaults read /Library/Managed\ Preferences/*/corp.sap.privileges.plist | grep -i remote

Solutions:

• Verify syslog server address and port in configuration
• Check network connectivity to syslog server
• Test TLS configuration if using encrypted syslog
• Verify syslog server is receiving connections

Performance and Operational Issues¶

High Resource Usage:

Symptom: Privileges causing system slowdown

Diagnosis:

# Check resource usage
top -pid $(pgrep -f Privileges)
ps aux | grep -i "[P]rivileges"

Solutions:

• Privileges typically uses minimal resources
• If high usage, check for configuration issues
• Restart Privileges daemon if needed
• Update to latest version

Anti-Tampering Extension Issues (Privileges 2.5+):

Symptom: Anti-tampering extension not activating

Diagnosis:

# Check system extension status
systemextensionsctl list | grep -i privileges

# Check if extension is enabled in configuration
defaults read /Library/Managed\ Preferences/*/corp.sap.privileges.plist | grep -i EnableSystemExtension

# Check PrivilegesCLI for extension status
/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --status

Solutions:

• Verify Privileges version is 2.5 or later: Check app bundle version or release notes
• Ensure system extension approval: Deploy PPPC profile for system extension
• Check configuration: Verify EnableSystemExtension key is set to true in managed preferences
• Enable via CLI: Use PrivilegesCLI --extension to enable if configuration profile not applying
• Verify device compatibility: System extension requires macOS 10.15+ and compatible hardware

Symptom: Cannot disable or modify Privileges after enabling anti-tampering

Solutions:

• This is expected behavior when anti-tampering is enabled
• To disable: Use PrivilegesCLI --no-extension with appropriate privileges
• For uninstallation: Disable extension first, then remove application
• Contact IT support for managed device modifications

Frequent User Complaints:

Symptom: Users reporting inability to complete tasks

Solutions:

• Review elevation timeouts (may be too short)
• Check if common software requires admin rights (consider allowlisting)
• Provide clear guidance on when elevation is needed
• Consider approval-based workflow for extended needs

Chapter 22 Exercise¶

Goal: Implement a controlled privilege elevation workflow.

Tasks:

1. Install SAP Privileges using Homebrew or MDM:
2. Download from GitHub releases

3. Deploy PPPC payload to pre-approve system extension

4. Configure a 15-minute maximum timeout via configuration profile:

5. Use ExpirationIntervalMax for user flexibility
6. Set RevokePrivilegesAtLogin for security
7. Enable ReasonRequired for audit trail

8. Deploy via MDM to test client

9. Create a LaunchAgent to revoke admin rights at login:

10. Place plist in /Library/LaunchAgents/
11. Load with launchctl load -w

12. Verify revoke on next login

13. Build a Jamf Self Service policy for manual elevation:

14. Create script that calls PrivilegesCLI --add
15. Add to Self Service with clear description

16. Test elevation and automatic demotion

17. Monitor the Privileges log to verify activity:

18. Check ~/Library/Logs/Privileges.log for events
19. Configure remote syslog if available
20. Verify audit trail includes reason codes (if enabled)

Bonus Challenge:
Write a Bash wrapper script that checks if the user is already admin before running PrivilegesCLI --add, ensuring idempotent elevation. Use dscl or groups command to check admin group membership.

macOS Scripting Tips¶

• Always test timeouts and demotion scripts on a non-admin test user before production rollout.
• Keep Privileges updated; new versions often add UX improvements and additional configuration keys.
• Use ExpirationIntervalMax instead of ExpirationInterval for better user experience—allows flexibility while maintaining IT control.
• Set RevokePrivilegesAtLogin to ensure no user retains admin rights across sessions or reboots.
• Use EnforcePrivileges to prevent users from manually adding themselves to the admin group.
• Leverage LimitToGroup or LimitToUser to restrict Privileges access to specific authorized users.
• Configure remote logging via syslog to forward privilege elevation events to your SIEM for compliance.
• Combine Privileges with Santa or Endpoint Security tools for full least-privilege coverage and defense-in-depth.
• Regularly audit admin group membership with osquery or Jamf reports to ensure compliance.
• Leverage PPPC profiles to grant necessary permissions (Full Disk Access) for scripts and the Privileges app itself.
• Enable the anti-tampering system extension (EnableSystemExtension) in Privileges 2.5+ for enhanced security, especially in high-risk environments.
• Test anti-tampering features thoroughly before production deployment to ensure proper operation.
• Review the official Privileges Wiki for the latest configuration options and best practices.
• Stay updated on new Privileges releases via the GitHub repository for security improvements and new features.