I am working on creating a "make me an admin" script. I know there are already some out there I can use, but I wanted to create this one myself. What I have working now is a script that will first check if the user is already an admin user. If they are, a Jamf Helper window will appear informing them that they are already an admin user. They can then dismiss the window by clicking "OK". The policy stops running after they click "OK". If they are a standard user, the script will elevate them to admin, and a Jamf Helper window will appear with a countdown to what ever time we define in parameter 4. Once the timer runs out, the script runs the command to remove admin rights. I have this working really well. Now I'm trying to add some extra features. What I want to do is detect any new admin users that the user who is elevated to admin creates. They may do this to circumvent our policy of keeping users setup as standard. I had one idea to output the current admin users to a text file before the user is elevated to admin. After the admin rights are removed, another text file is generated containing the current admin users. I wanted to use the "diff" command to detect the new admin users. I'm having trouble with this. I know there has to be a better way to check the current admin users before the user is elevated to admin, and then check for new admin users after we take the admin rights away. What's a good way to do this? Once I figure this out, I can do further testing and put this into production. Unlike other "make me an admin" scripts, this one does not create a launchdaemon to handle the removal of admin rights. I found that approach to not be as reliable as what I am using in this script. My script will demote he user back to standard as soon as the timer runs out.
How can I detect new admin accounts getting created?
+23
+17presume you've looked at this? https://github.com/SAP/macOS-enterprise-privileges
rolling you own on this is of course possible, but this maybe simpler..
+23presume you've looked at this? https://github.com/SAP/macOS-enterprise-privileges
rolling you own on this is of course possible, but this maybe simpler..
This looks interesting. I will check it out. I really wanted to do this myself. When I get this working as intended, I will happily share it with others. This one feature is the last thing I wanted to add to my script before I make it live.
+26This is absolutely a valid concern. However, I would not attempt to do this with CLI as you would need to be going through macOS Unified Logging for the information you want. What you really want is a SIEM log redirection tool to ship macOS's event logging, JAMF Protect can handle that. Ship macOS logs to your SIEM (like splunk) and configure alerts for these actions and many other things. Use the right tool for the job or have a bad time.
JAMF Protect's GitHub has some unified log filters which may give you some ideas.
jamfprotect/unified_log_filters at main · jamf/jamfprotect (github.com)
+23This is absolutely a valid concern. However, I would not attempt to do this with CLI as you would need to be going through macOS Unified Logging for the information you want. What you really want is a SIEM log redirection tool to ship macOS's event logging, JAMF Protect can handle that. Ship macOS logs to your SIEM (like splunk) and configure alerts for these actions and many other things. Use the right tool for the job or have a bad time.
JAMF Protect's GitHub has some unified log filters which may give you some ideas.
jamfprotect/unified_log_filters at main · jamf/jamfprotect (github.com)
I would absolutely LOVE it if my company would get on board with Jamf Protect, but I don't get to make that decision. I really appreciate the suggestions. Everyone here has always been very generous with their time and their knowledge. One thing I tried was to run the command to show all of the admin users before the user is promoted to admin. I had the output written to a text file. After the user is demoted back to standard, the command would run again, and create a new text file. The script would look for differences between the two text files and output the result that could be used to demote any new user to standard. If no new users were created no action would be taken. I actually had a version of this working before I got interrupted by a meeting!!!! I'm pretty good with scripts but I like to try new things to improve my skills. This project will help me do that and give me a new script to use in Jamf Pro.
This is the current version of the script without the check for new admin users created. It has worked several times for me without issue.
#!/bin/zsh
# Timer setting
tempSeconds="$4"
# Who is the current logged in user?
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
# Jamf Helper path
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# Check if the user is already an admin.
isAdmin=$(dseditgroup -o checkmember -m "$currentUser" admin | awk '{print $1}')
echo "Is "$currentUser" an admin? "$isAdmin"."
# If the user is already admin, display a message.
if [ "$isAdmin" = "yes" ]; then
echo "$currentUser is already an Admin"
"$jamfHelper" -windowType utility \\
-windowPosition ur \\
-title "YOUR TITLE HERE" \\
-heading "You are already an admin user" \\
-alignHeading middle \\
-description "You are already an admin user. If you are experiencing trouble please contact support." \\
-alignDescription natural \\
-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \\
-iconSize 36 \\
-button1 "OK" \\
-defaultButton 1
else
# Elevating user to admin.
echo ""$currentUser" is not an admin user"
echo "Elevating "$currentUser" to admin"
/usr/sbin/dseditgroup -o edit -a "$currentUser" -t user admin
# Display a window showing how much time is left as an admin using Jamf Helper.
echo "Displaying Jamf Helper window with timer."
"$jamfHelper" -windowType utility \\
-windowPosition ur \\
-title "YOUR TITLE HERE" \\
-heading "Temporary Admin Rights Granted" \\
-alignHeading middle \\
-description "Please perform your required tasks. Admin rights will be removed when the timer below ends." \\
-alignDescription natural \\
-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \\
-iconSize 36 \\
-button1 "Done" \\
-defaultButton 1 \\
-timeout "$tempSeconds" \\
-countdown \\
-countdownPrompt "Admin rights will be removed in " \\
-alignCountdown center
# Removing admin rights.
echo "Timer has ran out. Removing admin rights and running recon"
/usr/sbin/dseditgroup -o edit -d "$currentUser" -t user admin
/usr/local/jamf/bin/jamf recon
fi
exit 0
+13You could just block access to the Accounts Preferences, and not have to worry about additional admin accounts being created.
+23You could just block access to the Accounts Preferences, and not have to worry about additional admin accounts being created.
Great idea! I have done that in the past actually. My only worry is that you can create users from Terminal.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.