This is by design. The icon is green and displays a locked padlock when you are a standard user. It looks like this:

The icon is orange and displays an unlocked padlock icon when you are an administrator. It looks like this:

Yes. By default, administrator privileges are granted for 20 minutes (if not configured otherwise). However, if necessary, you can configure Privileges not to remove administrator privileges by setting the expiration interval to Never in the app's settings.

No. Privileges cannot guarantee that elevated permissions will be removed from the user account at all or on any specific schedule.

Privileges is an application for macOS which allows users to work as a standard user for day-to-day tasks, by providing a quick and easy way to request administrator rights. Working as standard user instead of an administrator adds another layer of security to your Mac and is considered a security best practice. We believe all users, including all developers, can benefit from using Privileges.

Local administrators on macOS have extensive capabilities to make changes to a Mac. This can include but is not limited to completely removing the Privileges application and its support files.

Organizations should consider this when designing their client management, device compliance, security hardening, and auditing policies.

Local administrators on macOS have extensive capabilities to make changes to a Mac. This can include but is not limited to:

• completely removing the Privileges application and its support files
• removing other client management software and configurations
• creating a new administrator account or modifying existing user accounts
• making changes, such as resetting date/time on the Mac, to try to trick Privileges
• making changes when started up in the Recovery environment
• erasing the Mac, reinstalling macOS, installing or upgrading to a different macOS version, or starting up from a different partition or disk
• an already-resident malicious process detecting the elevated rights and making its own changes

Organizations should consider this when designing client management, device compliance, security hardening, and auditing policies. Controls, mitigations, defense-in-depth, reporting, and auditing suitable to each organization’s environments and threat models are needed. This is true with or without the use of the Privileges application.

No. Privileges cannot undo other changes made by a user - or processes acting as the user - when that user has elevated rights. Privileges does not track any action done while the user has elevated permissions.

Organizations should consider this when designing client management, device compliance, security hardening, and auditing policies.

Yes, if users have administrator-level elevated rights already, they can install Privileges themselves via the installer package.

Once Privileges is present on a Mac, a local user can try to run it. If this is a concern, consider this when designing client management, device compliance, security hardening, and auditing policies.

No. Privileges is an application for macOS which allows users to work as a standard user for day-to-day tasks, by providing a quick and easy way to request administrator rights. It is meant for human users logged in to local macOS user accounts.

Privileges uses the system log for logging. To see all logs for Privileges in the Console app, you can filter for processes that contain Privileges.

To see only the logging associated with changing admin rights in the Console app, you can filter for log messages containing SAPCorp.

To access the same logs from the command line, the log command can be used. To see all logs for Privileges using the log command, the following command can be used:

log show --style syslog --predicate 'process BEGINSWITH "Privileges"'

To see only the logging associated with changing admin rights, the following command can be used:

log show --style syslog --predicate 'process == "PrivilegesDaemon" && eventMessage BEGINSWITH
"SAPCorp: U"'

In this illustration you can get an overview of how the different app components communicate with each other:

We give away the stickers at events and conferences. If you can't catch us at one, you can order your own Privileges sticker sheet directly here:

🇪🇺 Europe
🇺🇸 U.S.