diff --git a/lib/vnet/setup_darwin.go b/lib/vnet/setup_darwin.go
index 688a39ff55c04..e967eb8f11b73 100644
--- a/lib/vnet/setup_darwin.go
+++ b/lib/vnet/setup_darwin.go
@@ -72,9 +72,11 @@ do shell script quoted form of executableName & `+
 		`" %s -d --socket " & quoted form of socketPath & `+
 		`" --ipv6-prefix " & quoted form of ipv6Prefix & `+
 		`" --dns-addr " & quoted form of dnsAddr & `+
+		`" --egid %d --euid %d" & `+
 		`" >/var/log/vnet.log 2>&1" `+
 		`with prompt "Teleport VNet wants to set up a virtual network device." with administrator privileges`,
-		executableName, config.SocketPath, config.IPv6Prefix, config.DNSAddr, teleport.VnetAdminSetupSubCommand)
+		executableName, config.SocketPath, config.IPv6Prefix, config.DNSAddr, teleport.VnetAdminSetupSubCommand,
+		os.Getegid(), os.Geteuid())
 
 	// The context we pass here has effect only on the password prompt being shown. Once osascript spawns the
 	// privileged process, canceling the context (and thus killing osascript) has no effect on the privileged
diff --git a/tool/tsh/common/vnet_darwin.go b/tool/tsh/common/vnet_darwin.go
index 05e849a973287..f98cd37c8b0b9 100644
--- a/tool/tsh/common/vnet_darwin.go
+++ b/tool/tsh/common/vnet_darwin.go
@@ -80,6 +80,12 @@ type vnetAdminSetupCommand struct {
 	ipv6Prefix string
 	// dnsAddr is the IP address for the VNet DNS server.
 	dnsAddr string
+	// egid of the user starting VNet. Unsafe for production use, as the egid comes from an unstrusted
+	// source.
+	egid int
+	// euid of the user starting VNet. Unsafe for production use, as the euid comes from an unstrusted
+	// source.
+	euid int
 }
 
 func newVnetAdminSetupCommand(app *kingpin.Application) *vnetAdminSetupCommand {
@@ -89,6 +95,8 @@ func newVnetAdminSetupCommand(app *kingpin.Application) *vnetAdminSetupCommand {
 	cmd.Flag("socket", "unix socket path").StringVar(&cmd.socketPath)
 	cmd.Flag("ipv6-prefix", "IPv6 prefix for the VNet").StringVar(&cmd.ipv6Prefix)
 	cmd.Flag("dns-addr", "VNet DNS address").StringVar(&cmd.dnsAddr)
+	cmd.Flag("egid", "effective group ID of the user starting VNet").IntVar(&cmd.egid)
+	cmd.Flag("euid", "effective user ID of the user starting VNet").IntVar(&cmd.euid)
 	return cmd
 }
 
@@ -104,6 +112,10 @@ func (c *vnetAdminSetupCommand) run(cf *CLIConf) error {
 		IPv6Prefix: c.ipv6Prefix,
 		DNSAddr:    c.dnsAddr,
 		HomePath:   homePath,
+		ClientCred: &daemon.ClientCred{
+			Egid: c.egid,
+			Euid: c.euid,
+		},
 	}
 
 	return trace.Wrap(vnet.AdminSetup(cf.Context, config))