Admin access on your computer

Note

This policy only applies to Mac computers onboarded on or after October 20th, 2024. Existing users may continue using their accounts as normal - however, all machines will eventually follow this process as they are replaced.

Changes to Default User Privileges

Historically, when setting up a new Mac, the initial user account was automatically configured as an Administrator. This meant users had full administrative privileges by default, allowing them to:

• Modify system files and folder permissions
• Install applications requiring root privileges
• Change advanced system preferences
• Execute elevated commands (sudo)

To enhance security, new Mac user accounts will now be created with standard user privileges by default. This change helps protect both company data and your computer from potential risks associated with always-on administrative access.

Understanding User Privilege Levels

Standard User Capabilities

Standard users can:

• Run installed applications
• Access network resources
• Modify files they own
• Change basic system preferences
• Install applications in their user directory (~/Applications)

Administrator Privileges

Administrator access is required for:

• Installing applications system-wide (/Applications)
• Modifying system files and permissions
• Changing security-related system preferences
• Running commands with elevated privileges (sudo)
• Installing system extensions or drivers
• Modifying system-level certificates
• Changing network configurations requiring authentication

Using the Privileges Tool

When you need administrator access, follow these simple steps:

1. Click the green lock icon in the Dock
2. Click on “Request privileges”
3. Enter your account password or authenticate with Touch ID

Your account will temporarily have administrator privileges to complete your task. You may request access for any amount of time up to 90 minutes. These privileges will automatically expire after the time you selected or 90 minutes later.

Security Benefits

This configuration provides several security advantages:

1. Reduces the attack surface for malware and ransomware
2. Prevents unauthorized system modifications
3. Protects system-level configurations
4. Minimizes accidental system-wide changes
5. Creates an audit trail of administrative actions

Implementation

• This policy applies to all new Mac deployments
• Existing machines will have the Privileges tooled installed during scheduled updates however, existing user accounts will not be migrated to standard privileges
• The Privileges tool will be automatically installed and configured
• Standard user permissions remain sufficient for most business applications

Support

Contact IT if you:

• Need help with the Privileges tool
• Require permanent administrative access (requires IT approval)
• Experience issues with administrative elevation
• Have questions about specific permission requirements