all users are standard users but some require sudo access

try this

@teodle is this something you have implemented too?

do do you guys go about managing this or scaling this for larger devs?

No but maybe we should.
Haven't looked into scaling this but I'm sure it's possible.

@jcheLC Have you seen the SAP app Privileges Link Here

@teodle how do you guys provide temp admin access or are all your users basically admin (or at least if they have admin it wont be removed)

@kerickson Yup, but it seems like a temp stopgap - is the usage track-able?
whats stop the users from just running it all day and being admin basically all day? :(

Have you looked at the jamf connect Pam module ?

https://docs.jamf.com/jamf-connect/1.6.0/administrator-guide/Pluggable_Authentication_Module_(PAM).html

@jcheLe
We have a promote to admin policy that can be applied to a single local user or all local users but then someone has to remember to demote them back to standard users.

Jamf has this tool on their github: MakeMeAnAdmin

@jchele ...could you provide a copy of that policy? thanks!

@teodle would you mind sharing that policy? Thanks!

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

1. Make sure to run this script with a Jamf policy


2. I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.

#!/bin/bash



# Identify the username of the logged-in user



currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "

");'`



# Create file named "standard" and place in /private/tmp/



touch /private/tmp/standard 



# Populate "standard" file with desired permissions



echo "$currentUser ALL= (ALL) ALL

$currentUser    ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard



# Move "standard" file to /etc/sudoers.d



mv /private/tmp/standard /etc/sudoers.d



# Change permissions for "standard" file



chmod 644 /etc/sudoers.d/standard



exit 0;     ## Sucess

exit 1;     ## Failure