← Policies

Local Administrator Privileges

Application Information

The SAP Privileges application with associated scripts and LaunchDaemons for a demotion service will be installed on all Digital Mac endpoints. The Privileges application allows users to switch from standard privileges to administrator privileges and vice versa.

Enforcement

In alignment with the principle of least privilege, users are encouraged to operate as standard whenever possible. If a user has been operating as an administrator for more than 20 minutes, they will receive a notification offering to demote them to standard privileges. The user may elect to remain an admin, or demote to standard. If they remain an admin, the timer resets and the user receives another notification in 20 minutes. If they elect to demote to standard, their admin privileges are revoked immediately.

Configuration Management and Access

The Privileges application will be installed and verified on all endpoints by Jamf Pro. If the application is removed, Jamf Pro will re-install it. Additionally, the Privilege demotion service will be installed and verified on all Mac endpoints by Jamf Pro. If the service is not running, Jamf Pro will reactivate it. Only selected users within the Digital Ground Control team, Digital leadership, JH Corp Service Desk, and JH Systems Administrators will have access to modify these policy configurations

Logging and Review Process

DataDog will provide reporting on all privilege elevation and demotion events, as well as decisions to remain an administrator or demote to standard. Jamf Pro will provide reporting on installed software, software versions, and running services. Reviews of this data will occur every quarter. Reviews will be tracked in a Jira project and any data collected will be stored in a GitHub repository.

A review consists of acquiring samples from five machines to confirm all of the following are true:

  • Privileges.app is installed on the device.
  • The privileges demotion service is installed on the device.
  • The privileges demotion service is running.
  • The installed versions meet or exceed the current baseline versions.
  • Privilege elevation and demotion requests are functioning as expected, and logs are recorded.
    • This is intended to be a live test of the privileges mechanism, therefore, it requires coordination with the end user. This test is facilitated by running a policy from Jamf Self Service.
Published Date
9-1-22