-
Notifications
You must be signed in to change notification settings - Fork 72
Privileged Scripts
Support App allows scripts to be executed with elevated privileges. For example for Extensions to populate custom information or Actions to run functions. As Support App is sandboxed, is uses a built-in Privileged Helper Tool for privilege separation. This framework makes sure communication is transmitted securely between the sandboxed main app and the Privileged Helper Tool. Additional checks are built-in such as code requirement validation and script permissions/owner checks.
There are a few requirements:
- The value with the path to the Privileged Script (in
ActionandOnAppearAction) MUST be configured using a Configuration Profile. Values set withdefaults writeor while testing in Configurator Mode are not supported. - The script must have one of the following owner/permissions:
- Owner
rootand 755 permissions - Owner
_rmd(ID 277), specifically scripts deployed using Service Background Tasks (Declarative Device Management)
- Owner
- The script must have executable permissions
There are a couple of use cases where privileged scripts can help. For example run a command or script with root privileges:
- Every time the Support App popover appears, populate Support App Extensions using
OnAppearAction - Extension Attributes (Jamf Pro) by adding the commands to populate the Support App Extension to the EA:
- Show device compliance information, such as the macOS Security Compliance Project Failed Results Count
- Executing a background task by clicking on an item. Some examples:
- Request an MDM check-in or inventory depending on your Device Management Service
- Requesting temporary admin permissions (for example in conjuntion with SAP Privileges)
- Collecting logs such as
sudo sysdiagnoseand sending the output somewhere else - Run device compliance remediation, such as the macOS Security Compliance Project Remediation Script
- Any other action requiring root privileges, especially when users have standard permissions
By default, the Privileged Helper Tool is automatically enabled when using the PKG installer. To opt-out, set the key DisablePrivilegedHelperTool to true during the time of installation. Also at launch of Support App, the Privileged Helper Tool will be removed when the key is set. Please also note that for the App Catalog integration, the Privileged Helper Tool is a requirement.
Additionally the Support App app bundle comes with scripts to manually disable or re-enable the Privileged Helper Tool. For example when you accidentaly used or misconfigured the DisablePrivilegedHelperTool key, or chose to (not) use it at a later time:
- Disable:
/Applications/Support.app/Contents/Resources/uninstall_privileged_helper_tool.zsh - Re-enable:
/Applications/Support.app/Contents/Resources/install_privileged_helper_tool.zsh
For example, you can run those scripts locally of by your Device Management Service. You can verify the Privileged Helper Tool is enabled by checking the file locations mentioned in File locations.
Support App installs some files related to the Privileged Helper Tool:
- Privileged Helper Tool:
/Library/PrivilegedHelperTools/nl.root3.support.helper - LaunchDaemon:
/Library/LaunchDaemons/nl.root3.support.helper.plist
As Support App is able to execute scripts elevated privileges, it needs to be used responsibly. Usually it is only needed for more advanced workflows such as querying additional information in real time, interact with other applications and more. Treat it carefully and only use it when you really need elevated privileged.
Note Only values from a Configuration Profile will be used. Values set by
defaults writewill be ignored as it imposes a potential security risk.