FileWave Alliance

The Official Community Forum
  • Page:
  • 1

TOPIC: Granting Non-Admin's Time Machine Access - Works

Granting Non-Admin's Time Machine Access - Works 14 Sep 2017 14:46 #2699

  • Jonathan Cohen
  • Jonathan Cohen's Avatar Topic Author
  • Offline
  • 2nd Level - Yellow Belt
  • 2nd Level - Yellow Belt
  • Posts: 7
  • Karma: 1
  • Thank you received: 2
Disclaimer - this functionality was duplicated from work by Grahm Gilbert ( github.com/grahamgilbert/macscripts/tree/master/Munki/Auth )

This specifically addresses how to implement this in FileWave.

The first action we need to take is to open the top level of system preferences in authorizationdb. This does not change the behavior or any one preference item, just the group of them as a whole.

Create a new empty fileset "Open System Preferences" and add the following scripts.

Install Check Script - placed in "Preflight Scripts" in fileset.
#!/usr/bin/env python

# Tool general description: 
#	Opens System Preferences structure to "everyone."  
#	It does not change any specific accress permissions for targeted tasks.

# Install Check Scrip to OPEN top level of system preferences in authorizationsdb
# Provided by Grahm Gilbert

import subprocess
import sys
import plistlib

# Group System Preferences should be opened to
group = 'everyone'

command = ['/usr/bin/security', 'authorizationdb', 'read', 'system.preferences']

task = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate()

formatted = plistlib.readPlistFromString(out)
# if group matches, exit 1 as we don't need to install
if formatted['group'] == group:
    sys.exit(1)
else:
    # if it doesn't we're exiting with 0 as we need to perform the install
	sys.exit(0)


PostInstall Script - placed in "Postflight Scripts" in fileset.
#!/usr/bin/env python

# Now we need to open the preferences 
	# Post Install Scrip to OPEN top level of system preferences in authorizationsdb
	# Provided by Grahm Gilbert

import subprocess
import sys
import plistlib

	# Group System Preferences should be opened to
group = 'everyone'

command = ['/usr/bin/security', 'authorizationdb', 'read', 'system.preferences']

task = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate()
formatted = plistlib.readPlistFromString(out)

# If the group doesn't match, we're going to correct it.
if formatted['group'] != group:
    #input_plist = {}
    formatted['group'] = group
    # Convert back to plist
    input_plist = plistlib.writePlistToString(formatted)
    # Write the plist back to the authorizationdb
    command = ['/usr/bin/security', 'authorizationdb', 'write', 'system.preferences']
    task = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    (out, err) = task.communicate(input=input_plist)

Finally, a method to undo your changes via uninstall - placed in "Post-Uninstallation Scripts" in fileset.
#!/usr/bin/env python

#  UnInstall Scrip to CLOSE top level of system preferences in authorizationsdb everyone but 'admin' users
# Provided by Grahm Gilbert

import subprocess
import sys
import plistlib

# Set the group back to admin
group = 'admin'

command = ['/usr/bin/security', 'authorizationdb', 'read', 'system.preferences']

task = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate()
formatted = plistlib.readPlistFromString(out)

# If the group doesn't match, we're going to correct it.
if formatted['group'] != group:
    formatted['group'] = group
    # Convert back to plist
    input_plist = plistlib.writePlistToString(formatted)
    # Write the plist back to the authorizationdb
    command = ['/usr/bin/security', 'authorizationdb', 'write', 'system.preferences']
    task = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    (out, err) = task.communicate(input=input_plist)




Now that we've opened up our top level in System Preferences, we need to do the same for the actual settings in Time Machine.

The process is nearly identical.

Create a new empty fileset "Open Time Machine Preferences" and add the following scripts.

Install Check Script - placed in "Preflight Scripts" in fileset.
#!/usr/bin/env python
#
# Fileset: Open Time Machine
# Preflight Script
#
# Allows "everyone" to manage Time Machine and TM Preferences
#
# Installation Check Script for Munki Payload Free plist
# Scripting sequence for authorizing all users to manage TimeMachine Preferences via System Preferences App
# Script template provided by Grahm Gilbert via GitHub - github.com/grahamgilbert/macscripts

import subprocess
import sys
import plistlib

# Group Date and Time  System Preferences should be opened to
group = 'everyone'

# Modify final key in the array to change which authorizationdb permission value is being modified
command = ['/usr/bin/security', 'authorizationdb', 'read', 'system.preferences.timemachine']

task = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate()

formatted = plistlib.readPlistFromString(out)
# if group matches, exit 1 as we don't need to install
if formatted['group'] == group:
    sys.exit(1)
else:
    # if it doesn't we're exiting with 0 as we need to perform the install
    sys.exit(0)


PostInstall Script - placed in "Postflight Scripts" in fileset.
#!/usr/bin/env python
#
# Fileset: Open Time Machine
# Postinstall script
#
# Allows "everyone" to manage Time Machine and TM Preferences
#
# Installation Check Script for Munki Payload Free plist
# Scripting sequence for authorizing all users to manage TimeMachine Preferences via System Preferences App
# Script template provided by Grahm Gilbert via GitHub - github.com/grahamgilbert/macscripts

import subprocess
import sys
import plistlib

# Group System Preferences should be opened to
group = 'everyone'

# Modify final key in the array to change which authorizationdb permission value is being modified
command = ['/usr/bin/security', 'authorizationdb', 'read', 'system.preferences.timemachine']

task = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate()
formatted = plistlib.readPlistFromString(out)

# If the group doesn't match, we're going to correct it.
if formatted['group'] != group:
    formatted['group'] = group
    # Convert back to plist
    input_plist = plistlib.writePlistToString(formatted)
    
    # Write the plist back to the authorizationdb
    # Modify final key in the array to change which authorizationdb permission value is being modified
    command = ['/usr/bin/security', 'authorizationdb', 'write', 'system.preferences.timemachine']
    task = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    (out, err) = task.communicate(input=input_plist)

sys.exit(0)


Finally, a method to undo your changes via uninstall - placed in "Post-Uninstallation Scripts" in fileset.
#!/usr/bin/env python
#
# Fileset: Open Time Machine
# Postuninstall script
#
# Allows "everyone" to manage Time Machine and TM Preferences
#
# Installation Check Script for Munki Payload Free plist
# Scripting sequence for authorizing all users to manage TimeMachine Preferences via System Preferences App
# Script template provided by Grahm Gilbert via GitHub - github.com/grahamgilbert/macscripts

import subprocess
import sys
import plistlib

# Set the group back to admin
group = 'admin'

# Modify final key in the array to change which authorizationdb permission value is being modified
command = ['/usr/bin/security', 'authorizationdb', 'read', 'system.preferences.timemachine']

task = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = task.communicate()
formatted = plistlib.readPlistFromString(out)

# If the group doesn't match, we're going to correct it.
if formatted['group'] != group:
    formatted['group'] = group
    # Convert back to plist
    input_plist = plistlib.writePlistToString(formatted)
    # Write the plist back to the authorizationdb
    # Modify final key in the array to change which authorizationdb permission value is being modified
    command = ['/usr/bin/security', 'authorizationdb', 'write', 'system.preferences.timemachine']
    task = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    (out, err) = task.communicate(input=input_plist)

sys.exit(0)




The final step is to associate the "Open Time Machine Preferences" fileset with your clients. You also need to set "Open System Preferences" as a dependency of the Time Machine fileset. We also set the "Open Time Machine Preferences" install priority to high to make sure it is in place before opening Time Machine.

This was confirmed working in MacOS Sierra 10.12.6 but should work on any OS verison that uses the Authorisations DB system.
The following user(s) said Thank You: Dave Herder

Granting Non-Admin's Time Machine Access - Works 14 Sep 2017 14:52 #2700

  • Bao Tran
  • Bao Tran's Avatar
  • Offline
  • FileWave Staff
  • FileWave Staff
  • Posts: 103
  • Karma: 4
  • Thank you received: 13
Nice! Thanks for sharing.

Granting Non-Admin's Time Machine Access - Works 14 Sep 2017 14:56 #2701

  • Dave Herder
  • Dave Herder's Avatar
  • Offline
  • FileWave Staff
  • FileWave Staff
  • Posts: 39
  • Karma: 2
  • Thank you received: 2
Thanks! That looks great!

Granting Non-Admin's Time Machine Access - Works 12 Dec 2017 13:21 #2836

  • P-M Lejon
  • P-M Lejon's Avatar
  • Offline
  • 5th level - Black Belt
  • 5th level - Black Belt
  • Posts: 92
  • Karma: 3
  • Thank you received: 15
On later versions of macOS you can always do it by just adding the following to an activation script:
/usr/bin/security authorizationdb write system.preferences.timemachine allow

See macnotes.wordpress.com/2016/03/30/unlock...for-non-admin-users/ for more Unlock commands.
P-M Lejon
System Administrator
BonnierNews
Sweden
  • Page:
  • 1