PrivilegedHelper

[erikng]

1. Would allow us to possibly help companies with standard users
2. Would be required to fulfill add "UMAD" functionality #34

[erikng]

To use a privileged helper tool the application and helper has to be signed by a valid deverloper certificate.

[erikng]

will need #53

[smithjw]

This would be a great feature as half my users are Standard users. When there are critical OS Updates available we need a way to get users (Standard and Admin) to upgrade and using the same front-end would lead to a better UX overall.

[abstertee]

I've added the logic and code needed for a privileged helper in my forked version here: https://github.com/abstertee/NudgeSwift/tree/main/Nudge-Helper

But we still need an Apple Signing cert and some details from that cert that need to be entered in some of the files.

[erikng]

@abstertee was the privileged helper to run scripts as root? I've done some research on Privileged Helpers and I don't see how they would solve point 1 in this issue.

[abstertee]

@erikng yes, the idea is that the privileged helper runs the script commands as root. The helper would help companies with standard users because the helper tool runs with root privilege while the app runs under the user's context.

[holzhannes]

I like the Idea very much. Maybe it is possible to use the tool macOS-enterprise-privileges just to give the user the rights to do a upgrade. For updates it seems to work with standard user rights as well.

[bradtchapman]

@erikng : now that the executable is properly signed and notarized, and issue #53 is closed (you mentioned it here), can you implement anything like this? Is it still on your roadmap?

SupportApp by Root3.nl has implemented a PrivilegedHelper to execute scripts.

[rustymyers]

Any thoughts on using code from @abstertee for privileged helper?

[erikng]

What would be the outcome after implementing it. I decided that I didn't want umad in this code base a while back.

[rustymyers]

The ideal outcome would be to allow standard macOS users to install major system upgrades (10.14->10.15) without needing to be elevated to admin permissions first. The privilegedhelper could be enabled with an optional launchdaemon.

[theirongiant82]

@rustymyers : If Mojave and Catalina are your expected use case—are those hypotheticals, or actual users?— do note that Nudge requires macOS 11 - 12 at minimum because of the reliance on Swift UI.

If you're trying to help standard users perform a major upgrade, consider the "eraseInstall" project instead.

[erikng]

I'm open to it but with the caveat that macOS 12 and higher only then not run it on macOS 15 and higher or whenever that feature came out for standard users.

That said I don't have a need for it in our environment and no time to work on nudge right now so someone would have to build it.

It's far easier to go the route mentioned above.

[rustymyers]

I'll look at other projects for assisting users in major upgrades. Thanks!