Elevating Xcode

Xcode relies on two authorizationdb rights to provide certain aspects of its functionality:

  • The acknowledgment of the license agreement upon first run after being installed.
  • The ability to install iOS simulators.

Agree to License Agreement

The default right to agree to the license agreement Xcode uses, requires the user to be in the Administrator's group and will prompt for admin credentials.

To elevate this aspect of Xcode, you can create a policy that targets Xcode and has the Xcode FLE Authorization Right (com.apple.dt.Xcode.LicenseAgreementXPCServiceRights) Authorization DB Right Name.

Advanced message actions such as Approval, Deny, Justification, or Warning should not be used in conjunction with this action.

  1. Using the Policy Wizard, create a controlling policy, click Next Step.

  2. Select Elevate, click Next Step.

  3. Select Run Silently, click Next Step.

  4. Select Executables, click Next Step.

  5. Select Modify Authorization Database, click Next Step.

  6. Select Existing Filter, search for and use an App Bundle filter that targets Xcode. If one doesn't exist, create it.

  7. Click Update.

  8. Click Next Step.

  9. Name your policy, add a description.

  10. From the Right Name drop-down, select Xcode FLE Authorization Right (com.apple.dt.Xcode.LicenseAgreementXPCServiceRights).

    Xcode FLE

  11. Click Create Policy.

  12. Set the Inactive switch to Active.

  13. Next to Deployment click the i icon and run the Resource and Collection Targeting Update task.

What to Expect on the Endpoint

  • With a policy in place, when Xcode is run the first time and the user is a standard user and the policy is effective, the user will only be prompted to agree to the license agreement:

    policy

  • Without policy in place, when Xcode is run the first time and the user is a standard user, it prompts to agree to the license agreement. Clicking Agree results in the user being asked to provide admin credentials:

    no policy

Install iOS Simulators

Xcode uses a right that requires the user to be in the admin's group to install iOS Simulators. By default, when a standard user tries to install an iOS simulator they will be prompted to enter admin credentials.

To elevate this aspect of Xcode, you can create a policy that targets Xcode and has the Install Apple Software Authorization Right (system.install.apple-software) Authorization DB Right Name.

You can add this to a policy that already targets Xcode to elevate the license agreement with the XCode FLE Authorization Right (com.apple.dt.Xcode.LicenseAgreementXPCServiceRights) Authorization DB Right Name or you can create a policy that targets Xcode and this Authorization DB Right Name specifically.

To elevate this aspect of Xcode specifically, you can create a policy that targets Xcode and has the Install Apple Software Authorization Right (system.install.apple-software) Authorization DB Right Name.

Advanced message actions such as Approval, Deny, Justification, or Warning should not be used in conjunction with this action.

  1. Using the Policy Wizard, create a controlling policy, click Next Step.

  2. Select Elevate, click Next Step.

  3. Select Run Silently, click Next Step.

  4. Select Executables, click Next Step.

  5. Select Modify Authorization Database, click Next Step.

  6. Select Existing Filter, search for and use an App Bundle filter that targets Xcode. If one doesn't exist, create it.

  7. Click Update.

  8. Click Next Step.

  9. Name your policy, add a description.

  10. From the Right Name drop-down, select Install Apple Software Authorization Right (system.install.apple-software).

    Xcode FLE

  11. Click Create Policy.

  12. Set the Inactive switch to Active.

  13. Next to Deployment click the i icon and run the Resource and Collection Targeting Update task.

What to Expect on the Worksation

  • With a policy in place, when a standard user attempts to install an iOS simulator and the policy is effective, the install will begin without prompting for credentials:

    policy

  • Without a policy in place, by default, when a standard user attempts to install an iOS simulator they will be prompted for admin credentials:

    no policy

Enabling Developer Mode

By default, Xcode's Developer mode is disabled. When disabled, Xcode will prompt for admin credentials when the debugger or performance analysis tools are used to examine a process. If the user is a member of the _developer group, the user will be prompted for their credentials instead.

The man page for DevToolsSecurity says:

"This tool changes the security authorization policies for use of Apple-code-signed debugger and performance analysis tools on development systems.

On normal user systems, the first time in a given login session that any such Apple-code-signed debugger or performance analysis tools are used to examine one of the user's processes, the user is queried for an administrator password for authorization. Use the DevToolsSecurity tool to change the authorization policies, such that a user who is a member of either the admin group or the _developer group does not need to enter an additional password to use the Apple-code-signed debugger or performance analysis tools." (macOS system man page quote)

Depending on your requirements, you can address the issue of the user being prompted for admin credentials by adding your users to the _developer group via LSS. If you wish to enable Developer mode and avoid the dialog entirely, you can create a scheduled command (client task) in Privilege Manager to run the DevToolsSecurity command and enforce it on specific workstations based on the LSS group membership.

dev tool security