I am utilizing macOS Sonoma (newest model, as of December 2024) and have a MacBook with the next configuration:
I’m the administrator account holder.
One other individual (a trusted individual) makes use of a normal account.
At present, the usual account doesn’t have administrator privileges, as revoking them appeared the most effective answer to forestall entry to a particular utility and shield the DNS configuration profile. Nonetheless, if there’s a solution to enable administrator privileges whereas nonetheless adhering to those restrictions, I am open to exploring less complicated options.
That is what I am making an attempt to attain:
Permit the usual account:
Set up macOS updates (e.g. safety patches, working system updates).
Replace particular apps, reminiscent of Spotify and GitHub-related apps, that aren’t routinely up to date by means of the Mac App Retailer.
Prohibit the usual account to:
Entry a particular utility (for instance, Apple Configurator or another utility you specify).
Delete or modify a DNS server setting set by means of a profile.
Extra concerns:
I do not need to log in as an administrator each time macOS or apps should be up to date.
I attempted utilizing sudo to provide particular permissions to the usual account for updates and different duties, however the instructions I attempted didn’t work as anticipated.
I do not need to use Apple Display Time as a result of the restriction interval (e.g. 1 minute restrict) is just not sufficient to forestall entry that I want to dam.
What I’ve tried to this point:
Take away administrator privileges from the usual account to keep away from workarounds.
I take advantage of a configuration profile to dam DNS settings, however I want the usual account to be unable to delete it.
Exploring sudo permissions for restricted scaling, however could not have carried out it appropriately.
I’ve examine instruments like Privileges by SAP (obtainable on GitHub), which permit momentary administrator rights, however I am unsure if that is the most effective answer. My predominant objective is to make this MacBook secure and on the similar time sensible for the usual consumer.
Key questions:
What’s one of the best ways to limit app entry and block DNS settings for the standard account whereas nonetheless permitting OS and app updates?
How can I correctly configure sudo to grant particular permissions to the usual account for duties like updating software program or putting in functions?
Are there higher instruments or workflows for this use case?
Any recommendation or step-by-step steering could be enormously appreciated!
