Posted by mattsmacblog
This post will look at putting the authorization file to use in a partially managed Mac environment. Yes some of this can be done via OD & MCX but as we’re a small environment we don’t use it nor really need it. All testing was done with 10.7.2 and I’ve been using it with all our Mac’s up to 10.8.2 at the moment.
Q: What’s the problem we want to solve?
A: I want my users to be somewhere in between what Apple defines as a “Standard User” and a “Admin User”. Stealing from Windows terminology, I want them to be a “Power User”.
I want the System Preference panes marked below with red X’s to no longer require an Admin password to unlock them. Your environment will be different to mine, so pick, choose & extend these ideas to what fits your environment.
Energy Saver: I want users to be able to set their own Sleep schedules. I don’t want support requests from users about changing their sleep from 10 to 15minutes. Cons: The potential downside of this is that I really don’t want them to be able to turn off “Wake for Ethernet network access” (ARD use) but I’m hoping most won’t mess with this setting.
Print & Scan: I want laptop users to be able to add a home inkjet / laser printer. Cons: I don’t really want them deleting or adding other printers at work so I’m not actually going to unlock this preference pane in this example. But you may want to in your environment. I will do it by adding the user to the lpadmin group instead. Adding a user to the lpadmin group allows them to install or remove printers it doesn’t however unlock the Print & Scan System Preference pane but it does allow them to use the less obvious + and – buttons in that pane to make changes. They can also use the File > Print > Printer > Add New Printer… option to add a home printer.
Network: I want laptop users to be able to adjust network settings as they travel. Often at conferences, home or other sites, custom network settings or proxy settings are required. Opening this up lets them adjust them as needed. Cons: Users can break their network settings which may yield a support request.
Date & Time: I want laptop users to be able to change the time zone if the ‘automatic’ feature fails. Also if the PRAM battery fails I want users to be able to set the correct date and time. Cons: Users can be on the wrong time zone / time which will effect things like AD based login’s.
Time Machine: I want laptop users to be able to setup a USB drive or Time Capsule at home as they’re backup device.
Not mentioned above: Software Update: I plan to enable Software Update once I get my own Software Update Server running using Reposado. This way I can enable standard users to update their own Mac’s via the built-in Apple system but control what updates are available via reposado. You can also do this via Munki or this app at http://www.littleboyblue.co.nz/ instead.
In my environment I’ve decided for now that I only want to open the above extra Preference Panes up for laptop users. Desktop users I can help over the phone easily, change things remotely via ARD or go visit them. Laptop users who are overseas or not on-site are the main concern as I can’t help them easily nor allowed to give them admin credentials.
In my environment for 10.7.x we are currently using the Apple Active Directory plug-in and Mobile User Accounts with local homes. We add laptop users to the lpadmin group so they can install printers at home. I do this via Apple Remote Desktop (ARD) using the Send Unix Command option: dseditgroup -o edit -a USERNAME -t user _lpadmin if doing it locally via the command line as an admin use sudo dseditgroup -o edit -a USERNAME -t user _lpadmin To verify the user has been added use dscl . -read /Groups/lpadmin at the command line. Looking at the “Group Membership” field.
I am going to leverage this as it distinguishes between desktop and laptop users in our environment to achieve the outcome above. You could also create a new group and use that or use another built-in group. Be aware that creating your own group means that you’d also need to add admin accounts to that group or the admin group itself. By default all local admin accounts are members of the lpadmin group. You could also use the staff or everyone group to open it wider.
So from the info in my earlier post we’re going to change the following keys in the /etc/authorization file from group admin to lpadmin using TextWrangler:
changing the bottom part of each entry above from
Note: TextWrangler will change the files owner and group, you can easily set it back via chown & chmod or just run Disk Utility – Repair Permissions which will set it back to root and wheel.
To make this even easier and ARD compatible I’ve adjusted a script from here which can be sent out via ARD to a Machine to change it immediately. If a future apple update changes the file back to it’s original state it’s easily changed back.
#Copy the authorization file to a temporary location & make it a plist
/bin/cp -pr /etc/authorization /private/tmp/authorization.plist
# Unlock System Preferences for lpadmin group members.
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Network Settings preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.network:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Time Machine preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.timemachine:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Energy saver preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.energysaver:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Date and Time preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.datetime:group lpadmin’ /private/tmp/authorization.plist
# Move file back to original location
/bin/mv /private/tmp/authorization.plist /etc/authorization
You can just copy and paste the text above into the “Send Unix Command” text area in ARD and send it as a local admin or root. Alternatively copy the text into TextWrangler, do a save as i.e. auth-changescript.sh then go to the command line and make it executable via chmod +x auth-changescript.sh then run it with sudo ./auth-changescript.sh or sudo sh auth-changescript.sh
There’s other ways to achieve the same result. You can change the key’s above from class “user” to “rule” keys and make your own rule at the bottom of the authorization file or use a built-in one but it’s much more complex & not well documented by Apple.