PrivilegesDemoter v3

Please see the wiki for deployment information!

Version 3 includes the following enhancements:

• PrivilegesDemoter is no longer dependent on Jamf Pro.
• PrivilegesDemoter now uses just one script and one LaunchDaemon (as opposed to 2 of each in versions 1 and 2)
• The script preferences are controlled with a configuration profile (in the blog.mostlymac.privilegesdemoter domain).
• There is a JSON Schema available for configuring with Jamf Pro.
• You can now exclude multiple administrator accounts from demotion.
• The _mbsetupuser and root users are now excluded from demotion by default.
• Swift Dialog is now available as a notification agent in addition to IBM Notifier and Jamf Helper.
• You may now use a custom name for the IBM Notifier binary (if you have re-branded it for your organization).
• The demotion reminder threshold can now be set with a configuration profile separately from the SAP Privileges dock tile timeout.
• The main text in the reminder can be customized.
• You many now configure the user to be demoted silently without a notification at all.
• The demotion script now runs locally by default. If you would like it to run from Jamf Pro as it did in versions 1 and 2, you may configure it that way.
• You may now customize the Jamf trigger if demoting from a Jamf Pro policy.
• The script now allows for standalone elevation and demotion actions (without deploying SAP Privileges) Note: This requires an MDM with the ability to run scripts from a Self Service portal (like Jamf Pro).
• The script now includes several new options when running locally. Using the script alone you can elevate, demote, demote silently, print the current user's status, and calculate how much admin time has passed since the last time PrivilegesDemoter ran.