Using a non-admin account for security purposes

In addition, and arguably the best precaution, have a separate account with administrator rights and use that only to install software. The account you use on a daily basis should NOT have administrator rights. That way, if some malware wants to install something you wil get a prompt to provide the administrator password and you can, and should, cancel immediately and investigate.

Security is a layered approach. And yes, running software from an account with the minimum privileges necessary for it to run (meaning a non-administrator for most things) is a key layer.

Under normal circumstances, you should never have to actually log in to an administrator account. As long as it exists (and Apple’s GUI tools for user management won’t let you delete the last administrator), then that’s enough.

If you do anything that requires administrative privileges (e.g. install software or modify some system settings), you will be presented with an authentication dialog. Type in an administrator’s short user-name and password and you’re good to go.

The only downside here is that the sudo command (used from command-line shells to execute a single command as root) is only usable by users in the admin group (that is, administrators), using Apple’s default configuration:

But you can work around that by explicitly granting yourself sudo access via its configuration mechanism. For example, I created a file /etc/sudoers.d/011_david which grants me sudo access without being in the admin group:

You can do the same on your system. Just replace “david” with the short user name of the account you normally use.

Note that sudo will still ask you for a password the first time you use it in a given session (and after about 5 minutes of not using it), so it’s still pretty secure.

Or, if you don’t want to do that, you can use the su command to switch your terminal session to another user (e.g. your admin user). Do what you need from there and then exit back again. For example (if your administrator account is named administrator):

$ su administrator
Password:

Enter the administrator account’s password when prompted. You are now running as administrator (for that terminal session only). Do what you need from there, including use of the sudo command, as you require.

When you’re done, exit from the su session:

$ exit

And you’re back to your own account with its original permissions.

I have done this security practice - taken from old days of programming.

However I have found that Apple often wants the Administrator logon to be used instead of a user logon - something to do with Apple ID. Given Apple’s claims about security prowess, I find Apple’s inability to let users keep private their Administrator account details to be baffling. Moreover, Apple employees never explain to Mac purchasers the value of having a separate Administrator account.

In practice, with modern MacOS, I think having a separate account is a huge hassle with little security benefit. Yes, in theory, it’s “more secure.” But so much is locked away from user access these days, the admin accounts are easily secure enough that the difference is imperceptible. But if you use a non-admin account, you get lots of prompts to enter an admin username and password. As well as being a huge pain, I think this completely undermines the supposed extra security from running as a non-admin. You get conditioned to entering your admin username/password all the time, so this:

just seems normal and the average user is likely to simply enter the admin username/password.

I’ve yet to see a good argument for normal people to regularly run as a non-admin on modern MacOS. I think it’s really a holdover from Unix & Linux in the past (where it was a very good idea not to use an admin account as a matter of course!). And I’ve certainly not seen any data that shows a real (as opposed to theoretical) benefit. If it’s out there, I would be interested to see it, and am certainly open to being proved wrong.

I wonder what you are doing or what software you are running that is causing those ‘lots of prompts’?
I can use my Mac with my standard account for weeks on end without getting any admin prompt. I only get those when I actively choose to do something that indeed requires admin access and entering the credentials then is no hassle at all for me.

Really? I only get these prompts when installing/upgrading software. I can’t think of a time when I needed to provide these credentials for some other purpose.

I think the biggest reason is that admin users have read/write access to the /Applications folder. Which means they can install, remove and modify application software without any additional authentication.

If you’re not an admin user, then you need to authenticate as a part of accessing anything in that location.

Include me in the group that rarely sees the authentication prompts.

Also when clicking on the padlock in a System Preferences pane.

I too have used a non admin account since macOS moved to UNIX. There is one thing Apple could do to make it more smooth though. As we get the prompt, let us use the fingerprint of our admin account.

Inspired by this thread, I just sent Apple feedback via Feedback - macOS - Apple

I’m with @jzw. I have never used a non-admin account on any Mac I own and administer.

I have never had any malware scanner constantly run in the background. Yuck.

I run Malwarebytes in its free version perhaps once a week and it has never reported anything odd. I believe I do this just to make myself feel good, but I doubt there’s really good reason to run it. I keep up with Apple’s security updates. And I honestly don’t give two hoots about Win folks getting malware. They always end up getting something somewhere. Their choice.

I like what I’ve heard from Howard and friends about the new XProtect so far.

I am very cautious who I hand out my information to, usually minimize that, and I’m even more restrictive when it comes to accepting stuff from others, clicking on stuff, installing apps, etc. I rely heavily on malware and ad blockers when surfing.

I have never had any infection or malware issue on any Mac I own or administer. But sure, maybe it’s all just because I always got lucky.

But I don’t see the practical security benefits of this. Applications can be run from practically anywhere on MacOS, so this isn’t going to prevent malware from running.

And I should clarify that obviously I’m not getting prompts if I’m doing general work or basic activities (e.g. writing, browsing, etc). But my memory from when I’ve tried using a non-admin account (and it’s been a while now!) is that anytime I need to manage the system or do any development work, it gets irritating pretty quickly. It’s not an insurmountable problem, but I still don’t see what I’m gaining, so even marginal hassle makes it not worth it for me. And it would make remote support of others even harder, so I never recommend running from a non-admin account for family/friends.

As a long time sysadmin and computer security person…I would have to quote the knight from the Indiana Jones movie…he chose poorly. Nothing personal of course…and you’re completely free to operate as you wish…but a non admin daily driver seems like a no brained to almost all sysadmins.

Granted…macs are much less susceptible to those sorts of things…but running non admin daily driver costs you absolutely nothing and prevents potential bad things as well as oopsies. One can easily just provide the admin credentials when asked even logged in as non admin.

This is Apples take on this subject:
“Administrators can create, manage, and delete other users; install and remove software; and change settings. For these reasons, an administrator should create a standard user account to use when administrator privileges are not needed. If the security of a standard user is compromised, the potential harm is far more limited than if the user has administrator privileges. If multiple people use your Mac, limit the number of users with administrator privileges.”

https://support.apple.com/et-ee/guide/mac-help/flvlt003/mac

Howard Oakley has recently set out the difference between normal and admin account, noting that there’s not really any extra security associated with normal accounts in modern MacOS.

(And @mjtsai has the same conclusion I did regarding non-admin accounts being more hassle than they’re worth. Michael Tsai - Blog - Standard Mac User Accounts)

While I agree with Howard and Michael’s conclusions for those of us who are tech-savvy, I do not agree with the conclusions for the less technically inclined that share a computer. Uncontrolled software installation from sources outside of the Mac App Store by those who would simply “click through” with admin privileges without any realization of what they’re doing is an exposure that I would like to mitigate for systems under my control. It’s one thing if it is done by the owner of the computer. It’s another thing if it’s a shared computer or a computer that needs to be secured by a company.

The phrase “A man’s got to know his limitations” comes to mind. And giving admin privileges to those that don’t know their limitations is a prescription for disaster.

there’s not really any extra security associated with normal accounts

Since you can authenticate with an admin account when needed…it just adds a second step to prevent any inadvertent stupidity from letting you be dumb. I’ve done it that way since the beginning of macOS X…but I do add my account to the sudoers file for terminal things…even though I need to keep redoing that after just about every update.

When it became evident my mother was suffering from dementia, I downgraded her to a regular user. She certainly can’t remember an administrator’s password and has forgotten anywhere to look for it. So in that limited case, the downgrade seems to have its intended benefit.

To avoid system updates from clobbering your changes, don’t edit /etc/sudoers. Instead, create a file in /etc/sudoers.d. The main sudoers file will include everything in there and Apple’s installers don’t wipe the contents.

In mine, I have a file that adds my and my wife’s non-admin accounts. Changing names to protect the innocent, it looks like:

$ cd /etc/sudoers.d
$ cat 011_wifeandme 
# My wife and I can call sudo without being admins

david		ALL=(ALL) ALL
davidswife	ALL=(ALL) ALL

Don’t edit sudoers

Thanks…did not know that so will add it and not worry about it anymore.