I needed to challenge for an admin user/password to protect an area of a MacOS app I'm developing. After much pain and sorrow navigating the incredibly lacking and confusing Apple documentation, I got the basic challenge working with the below code:
func authenticateAsAdmin() -> Bool { guard let authorization = SFAuthorization.authorization() as? SFAuthorization, let right = NSString(string: kAuthorizationRuleAuthenticateAsAdmin).utf8String else { /* or maybe throw an error */ return false } do { try authorization.obtain( withRight: right, flags: [.extendRights, .interactionAllowed, .destroyRights] ) } catch { return false } return true }
Note I'm using the default kAuthorizationRuleAuthenticateAsAdmin
right, which means that I'm prompting for the generic system admin right. This means that with the above code I'm not able to customize the "Acme App wants to make changes"
message that appears in the dialogue. Creating a custom right apparently is the more recommended way to do this, but for my use case, this worked and I can accept the lack of ability to change the dialogue message.
The .destroyRights
flag means (I think) that the system doesn't hang on to the authentication for any length of time, ergo every time I call this function the user must enter an admin user/pass even if they just succeeded in doing so a few moments before. This is what I wanted for my app, but you can experiment with removing this flag.
In the thread where I was hashing this out on the Apple dev forum, Quinn helpfully posted some sample code for the lower-level (and extremely scantily documented, at least in Swift) AuthorizationCreate()
function, here's the link.
Important Note: This will not work if your app is sandboxed, because of privilege-escalation concerns. And if you forget to disable app-sandbox, you'll just get cryptic non-helpful permission denied errors that don't mention anything about app sandbox.
The Gertrude mac app helps you protect your kids online with strict internet filtering that you can manage from your own computer or phone, plus remote monitoring of screenshots and keylogging. $5/mo, with a 60 day free trial.