System Settings

System Preferences was renamed to System Settings in macOS Ventura.

On macOS systems, users (Administrator and Standard) can customize System Settings based on their user type. Details about macOS-based customizations via System Settings can be found at https://support.apple.com/guide/mac-help/change-system-preferences-mh15217/mac.

Privilege Manager policies can provide application control to elevate or deny the execution of System Settings Panes. To elevate panes, a policy must have:

Delinea provides multiple built-in elevation policies:

  • Elevate Date & Time System Settings Pane (Sample)

  • Elevate Energy Saver/Battery System Settings Pane (Sample)

  • Elevate Lock Screen system Settings Pane (Sample)

  • Elevate Network System Settings Pane (Sample)

A Workstation Policy that elevates all of these common panes is available for use. There are also two onboarding policies for System Settings Panes:

  • Onboarding macOS - Silent Elevation of Printers & Scanner Settings for macOS

  • Onboarding macOS - Silent Elevation of Wi-Fi Settings for macOS

User-Based Behavior of System Settings Panes

The following behaviors are exhibited, based on policy conditions.

  • Without a policy: Standard users are unable to make changes to all System Settings Panes unless admin credentials are entered.

  • With a silent elevation policy: The user will open the System Settings Pane with the AuthorizationDB Rights included in the policy.

  • With a silent deny policy: The user will be unable to open the System Settings Pane.

  • With a Display Advanced Message Action elevation policy: The user will open the System Settings Pane, and the agent will preemptively close the pane. System Settings will be open with a blank pane. If a Warning, Justification, or Approval Message is in use, the respective dialog will open. If the user continues through the dialog, System Settings will close, and the pane will be reopened with the AuthorizationDB Rights described in the policy.

  • With a Display Advanced Message Action deny policy: The user will open the System Settings Pane, and if a Denied Message Action is in use, the user will be presented with the denied message. The pane will not open.

The following rules apply for policy managed panes:

  • If there is no policy for a given System Settings pane, the authorization aligns with its system default.

  • A pane's default authorization is restored when an associated policy is disabled/deleted.

  • Managed System Settings pane defaults are restored during an uninstall.

AuthorizationDB Rights for System Settings Panes

Previously, panes were elevated by using the Run as Root action. As of the 12.0.4 agent, panes are elevated using the AuthorizationDB Right Actions needed for each pane. This allows for more flexibility within the policies. You no longer need to wait for an agent release to update how to target a pane.

Known Limitations

When System Settings opens, extensions for different System Settings Panes are triggered. The triggered extensions are different for each macOS version:

  • Ventura: Appearance, Apple Account, CDs and DVDs, Energy Saver, Mouse, Trackpad, Touch ID & Password

  • Sonoma: Appearance, Apple Account

  • Sequoia: Apple Account, General

Because of this, Delinea does not recommend targeting these panes with a Display Advanced Message Action.

Example

  1. The Elevate Common System Settings Panes workstation policy is duplicated and the Application Warning Message Action (HTML) is added.

  2. The policy is pushed to a macOS Ventura machine.

  3. When an end user opens System Settings, the Warning Message will pop up for Energy Saver.

This is because on Ventura, Energy Saver is triggered when System Settings opens.

Workarounds

  • If the user cancels the dialog, the message will be suppressed and the user can continue on as usual.

  • When elevating multiple System Settings Panes on macOS Ventura, separate the Energy Saver/Battery System Settings Pane (macOS) filter into a separate policy without a Display Advanced Message Action assigned.

  • Avoid using Display Advanced Message Actions on System Settings policies in general.