MakeMeAdminPy
macOS-enterprise-privileges
| MakeMeAdminPy | macOS-enterprise-privileges | |
|---|---|---|
| 1 | 41 | |
| 33 | 1,240 | |
| - | 0.6% | |
| 0.0 | 4.1 | |
| about 2 years ago | 3 months ago | |
| Python | Objective-C | |
| GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
MakeMeAdminPy
-
‘Self-Destructive’ LaunchDaemon & Script?
https://github.com/kc9wwh/MakeMeAdminPy is the one I have been using. The only issue I have run into is having it check the organizational admin account password. But it downgrades any admin accounts created with the privileges and adds them to a smartgroup in Jamf Pro which I have email notifications set up for. Not sure if this helps any.
macOS-enterprise-privileges
- Administrator Accounts for Users
- Simple App to help Mac Admins
- Microsoft Enterprise SSO Plug-in and Tiered Accounts
-
MacOS user profile management inquiry
Also, if you need them to have admin rights, you can use something like https://github.com/SAP/macOS-enterprise-privileges
- MacOS: Grant temp admin rights to user from a Company Portal application
- Allow non-admins to manage Location Services
-
Can we hide the orange dot without disabling SIP?
> For technically-inclined users, I'm still largely unconvinced of the value of SIP.
Problem is technically-inclined users are the ones most likely to not be running "defense in depth" and therefore susceptible to zero days such as the H.264->code execution discussion earlier this week.
Arguably, technically-inclined users participating in the software supply chain should go beyond SIP and run in Lockdown mode permanently, both on the dev machine and any mobile devices used for MFA, or at the very least self-install SAP's "Privileges" or equivalent that requires a deliberate unlock to act as Administrator.
https://github.com/SAP/macOS-enterprise-privileges
This helps* prevent drive-bys with persistent payloads without the extra attack surface that is commercial AV or anti-malware.
* Helps prevent, not prevents.
- macOS privileges, quick and easy way to get administrator rights when needed
- Using an admin-account for daily work, really that bad?
- Admin rights and PAM
What are some alternatives?
MakeMeAnAdmin - Provides temporary admin access for a standard user via Jamf Self Service
ProfileManifestsMirror - Jamf JSON schema manifests automatically generated from ProfileCreator manifests (https://github.com/ProfileCreator/ProfileManifests)
macOS-Security-and-Privacy-Guide - Guide to securing and improving privacy on macOS
macOSLAPS - Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
rtrouton-recipes - Recipes for AutoPkg
LAPSforMac - Local Administrator Password Solution for Mac
Installomator - Installation script to deploy standard software on Macs
community-screenrecording-pppc-profile - Management profile for MDM of all community provided apps that use ScreenRecording on macOS
dotfiles - macOS dotfiles for 10.13. Drawing upon the work of many others' dotfiles. Sets up Mac with home-brew, PHP 7.1 fish shell and more.
PrivilegesDemoter - Allow users to self manage admin privileges, while reminding them to operate as standard whenever possible.