Mac Least Privilege Scanning

Pro Tips with Esben #20

Similar to the last two weeks, we're exploring how to scan agentless with the least amount of privileges possible. This time we're taking a look at Apple Mac.

When scanning with Lansweeper, admin privileges are often required to be able to scan all the details from the operating system. The specific requirements for scanning are always listed on the official requirements knowledgebase article but the required permissions can be limited a bit more if you're willing to spend the extra time or are forced to due to strict security policies.

Our IT team has documented how you can scan Apple Mac systems by providing it with specific permissions, however similar to the last two blog posts, I would personally recommend testing everything first, it's always possible something was missed. Additionally, since this isn't the recommended way of scanning, our support team will always refer you to our official documentation. Additionally, it is likely that new Apple Mac scanning features won't work without adjustments.

Mac Permission Configuration

The configuration is split up into two parts depending on if you scan your Apple Mac devices using a local user or a domain user.

Configuration for Local Users

1. Open a terminal window on the Mac.

2. Enable SSH with the following command:
sudo systemsetup -setremotelogin on

3. Check if the SSH access group already exists (line 1), if it does not, create it (line 2):
sudo dseditgroup -o read com.apple.access_ssh
sudo dseditgroup -o create -q com.apple.access_ssh

4. Create a local user group for the scanning accounts:
declare scanGroup='scanning_accounts'
sudo dscl . -create /Groups/$scanGroup
sudo dscl . -create /Groups/$scanGroup RealName 'Lansweeper scanning accounts'
lastGroupID=$(dscl . -list /Groups gid | awk '{print $2}' | sort -n | tail -1)
sudo dscl . -create /Groups/$scanGroup gid $((++lastGroupID)

5. Give the group SSH access:
sudo dseditgroup -o edit -a $scanGroup -t group com.apple.access_ssh

6. Create a new user:
declare username='scanner'
declare password='password'
sudo dscl . -create /Users/$username
sudo dscl . -create /Users/$username UserShell /bin/bash
sudo dscl . -create /Users/$username RealName $username
lastUserID=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -n | tail -1)
sudo dscl . -create /Users/$username UniqueID $((++lastUserID) # Use the next available UID for this user
sudo dscl . -create /Users/$username PrimaryGroupID 20 # Add the user to the staff group (regular user)
sudo dscl . -create /Users/$username NFSHomeDirectory /Users/$username
sudo dscl . -passwd /Users/$username $password
sudo cp -R /System/Library/User\ Template/English.lproj /Users/$username
sudo chown -R $username:staff /Users/$username

7. Add the user to the scanning accounts group:
sudo dscl . -append /Groups/$scanGroup GroupMembership $username

8. Give the scanning accounts group sudo access for system_profiler:
echo "%$scanGroup ALL=(root) /usr/sbin/system_profiler" | sudo EDITOR='tee -a' visudo

Configuration for Domain Users

1. Create a scanning user in your domain.

2. Create a domain group for the scanning accounts.

3. Add the scanning user to the newly created domain group.

4. Open a terminal window on the Mac.

5. Enable SSH:
sudo systemsetup -setremotelogin on

6. Check if the SSH access group already exists (line 1), if it does not, create it (line 2):
sudo dseditgroup -o read com.apple.access_ssh
sudo dseditgroup -o create -q com.apple.access_ssh

7. Create a local user group for the scanning accounts:
declare scanGroup='scanning_accounts'
sudo dscl . -create /Groups/$scanGroup
sudo dscl . -create /Groups/$scanGroup RealName 'Lansweeper scanning accounts'
lastGroupID=$(dscl . -list /Groups gid | awk '{print $2}' | sort -n | tail -1)
sudo dscl . -create /Groups/$scanGroup gid $((++lastGroupID)

8. Give the local scanning accounts group SSH access:
sudo dseditgroup -o edit -a $scanGroup -t group com.apple.access_ssh

9. Add the scanning accounts domain group to the scanning accounts local group:
declare adScanGroup='DOMAIN\GroupName'
sudo dseditgroup -o edit -a "$adScanGroup" -t group $scanGroup

10. Give the local scanning accounts group sudo access for system_profiler:
echo "%$scanGroup ALL=(ALL) /usr/sbin/system_profiler" | sudo EDITOR='tee -a' visudo

Esben from Lansweeper

About Esben

Technical Product Evangelist at Lansweeper

Maximizing IT Asset Management proficiency by empowering end-users to take full advantage of their toolset.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.‚Äč