I’m using macOS Sonoma (latest version, as of December 2024), and I have a MacBook with the following setup:
I am the admin account holder.
A standard account is used by someone else (a trusted individual).
The standard account does not currently have admin privileges, as revoking them seemed like the best solution to prevent access to a specific app and protect the DNS configuration profile. However, if there’s a way to allow admin privileges while still achieving these restrictions, I’m open to exploring simpler solutions.
Here’s what I’m trying to achieve:
Allow the standard account to:
Install macOS updates (e.g., security patches, OS upgrades).
Update specific apps, like Spotify and GitHub-related apps, which are not automatically updated via the Mac App Store.
Restrict the standard account from:
Accessing one specific app (e.g., Apple Configurator or any other app I specify).
Removing or modifying a DNS server configuration set through a profile.
Additional Considerations:
I don’t want to log in as the admin every time macOS or apps need to be updated.
I attempted to use sudo to grant specific permissions to the standard account for updates and other tasks, but the commands I tried didn’t work as expected.
I do not want to use Apple Screen Time because the restriction period (e.g., 1-minute limit) is not sufficient to prevent the access I need to block.
What I’ve tried so far:
Removing admin privileges from the standard account to prevent workarounds.
Using a configuration profile to lock DNS settings, but I need it to be non-removable by the standard account.
Exploring sudo permissions for limited escalation, but I may not have implemented it correctly.
I’ve read about tools like Privileges by SAP (available on GitHub), which allow temporary admin rights, but I’m unsure if this is the best solution. My main goal is to make this MacBook secure while still being practical for the standard user.
Key Questions:
What’s the best way to restrict app access and lock DNS settings for a standard account while still allowing OS and app updates?
How can I properly configure sudo to give the standard account specific permissions for tasks like softwareupdate or app installations?
Are there better tools or workflows for this use case?
Any advice or step-by-step guidance would be greatly appreciated!
Discover more from TrendyShopToBuy
Subscribe to get the latest posts sent to your email.