Ok wow just after posting I came across https://www.jamf.com/blog/privilege-elevation-macos-security

This maybe what we need and something to test.

You can scope it to all the devices and limitations with the AD group of only the faculties. This way, the faculties will need to log in to Self Service to view the MMA. They can elevate them to administrators. It will be available on all the machines, only for the users in faculties, and they will need to log in to Self Service to view this. 

@GetCart3r  - Nice find with the Jamf blog! 👏

By the way, have you had a chance to try out SAP’s Privileges app? It might be worth checking out as an alternative. It’s open-source and designed specifically for scenarios like yours, where you need to give admin rights temporarily without compromising security for all users on the device.

Here’s the link if you want to take a look: https://github.com/SAP/macOS-enterprise-privileges

Let me know what you think if you try it out! 😊

Jamf Connect has recently added features to their relatively new make me and admin function. It can now ask for credentials and only grand the admin access if the credentials provided have specific IDP groups. 

We use CyberArk EPM to handle elevated permissions and the one off the situations where someone needs to be granted admin access. 

We use a script from here (JPDyson's), to grant temporary admin rights to a user (changed to 5 mins).

It is scoped to a computer on request, once per computer, in Self Service.

Not exactly what you are after but might help.

Definitely check out SAP's Privileges. I have been using this on a couple thousand Macs for years. I use PrivilegesDemoter, it includes SAP Privileges. I am testing out using Jamf Connect for admin elevation and Privileges version 2 is being worked on.