by Sam Mills (mostlymac.blog)

Note: PrivilegesDemoter.sh must be run as sudo or root

See the sidebar for more information -->

PrivilegesDemoter allows users to self manage local administrator rights, while reminding them not to operate as an administrator for extended periods of time. Additionally, each elevation and demotion event is recorded and saved to /var/log/privileges.log

PrivilegesDemoter is installed at /usr/local/mostlymac/PrivilegesDemoter.sh

The script has been designed to run standalone, or conjunction with SAP Privileges.

The script may be configured to notify users with IBM Notifier, Swift Dialog Jamf Helper, or demote users silently without a notification.

Previous versions of this script were designed to work with Macs enrolled in Jamf Pro with SAP Privileges installed and notified users with Jamf Helper or IBM Notifier. Versions 3.0 and higher have additional options for use with other agents and workflows.