Require password to run policy from Self Service

Could you please provide some more background. Why can't you just scope it to the right users, just curious. :)

Wanting to use it for giving temporary admin access to Users. https://github.com/darklordbrock/scripts/blob/master/UW-Milwaukee/30minAdminJss.sh

The plan is to make the policy available in Self Service and can only be ran if User rings the Service Desk with the random number and Service Desk has the same policy to input the random numbers to generate a password to be given out to users. In this case, the password algorithm has to be the same. It doesnt have to be really secure just as long as its not easy for user to decrypt it.

we have many staff who are working outside of the network and we have a public facing JSS server.

It would likely be easier to have the Service Desk scope the user to a policy that gives them temporary admin, instead of adding the extra step. There are a few ways to do this, [this one](lhttps://www.jamf.com/jamf-nation/discussions/6990/temporary-admin-using-self-service) has worked for a lot of people.

Complete script below:

For user to run from Self Service

#!/bin/bash

Numbers=$((RANDOM%55555+11111))

#Generate the password by using basic math calculation. 
Password=$(expr $Numbers * 10)
Password2=$(expr $Password + 25)
Password3=$(expr $Password2 / 4)


#Display the random numbers and advising user to call Service Desk on xxxx
        dialog="$(osascript -e 'tell app "System Events" to display dialog "Verification is Required. Please Contact Service Desk on xx xxxx xxxx with this number '"$Numbers"' to get your Password to continue." buttons {"Ok", "Not Now"} default button "Ok"')"
        if [ "$dialog" = "button returned:Ok" ]; 
            then
                #prompt user for the password
                dialog2="$(osascript -e 'Tell application "System Events" to display dialog "Please enter your Password given by the Service Desk to enable the administrator access" default answer ""' -e 'text returned of result' 2>/dev/null)"
                #osascript -e 'tell application "System Events" to display dialog "'"$Numbers"' '"$Password3"' == '"$dialog2"'" buttons {"Acknowledge"} default button 1'
                if [ "$dialog2" == "$Password3" ];
                    then
                        #run policy
                        #osascript -e 'tell application "System Events" to display dialog "Password is right" buttons {"Acknowledge"} default button 1'
                        #sudo jamf policy -trigger sc_temp_admin
                        ##############
                        # This script will give a user 15 minutes of Admin level access.
                        # It is designed to create its own offline self-destruct mechanism.
                        ##############

                        # USERNAME=`who |grep console| awk '{print $1}'`
                        USERNAME=stat -f "%Su" /dev/console

                        # create LaunchDaemon to remove admin rights
                        #####
                        echo "<?xml version="1.0" encoding="UTF-8"?> 
                        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
                        <plist version="1.0"> 
                        <dict>
                            <key>Disabled</key>
                            <true/>
                            <key>Label</key> 
                            <string>com.company.adminremove</string> 
                            <key>ProgramArguments</key> 
                            <array> 
                                <string>/Library/Scripts/removeTempAdmin.sh</string>
                            </array>
                            <key>StartInterval</key>
                            <integer>900</integer> 
                        </dict> 
                        </plist>" > /Library/LaunchDaemons/com.company.adminremove.plist
                        #####

                        # create admin rights removal script
                        #####
                        echo '#!/bin/bash
                        USERNAME=`cat /var/tempAdmin/userToRemove`
                        sudo /usr/sbin/dseditgroup -o edit -d $USERNAME -t user admin
                        rm -f /var/tempAdmin/userToRemove
                        rm -f /Library/LaunchDaemons/com.company.adminremove.plist
                        rm -f /Library/Scripts/removeTempAdmin.sh
                        exit 0'  > /Library/Scripts/removeTempAdmin.sh
                        #####

                        # set the permission on the files just made
                        chown root:wheel /Library/LaunchDaemons/com.company.adminremove.plist
                        chmod 644 /Library/LaunchDaemons/com.company.adminremove.plist
                        chown root:wheel /Library/Scripts/removeTempAdmin.sh
                        chmod 755 /Library/Scripts/removeTempAdmin.sh

                        # enable and load the LaunchDaemon
                        defaults write /Library/LaunchDaemons/com.company.adminremove.plist Disabled -bool false
                        launchctl load -w /Library/LaunchDaemons/com.company.adminremove.plist

                        # build log files in /var/tempAdmin
                        mkdir /var/tempAdmin
                        TIME=`date "+Date:%m-%d-%Y TIME:%H:%M:%S"`
                        echo $TIME " by " $USERNAME >> /var/tempAdmin/30minAdmin.txt

                        # note the user
                        echo $USERNAME >> /var/tempAdmin/userToRemove

                        # give current logged user admin rights
                        sudo /usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin >> /var/tempAdmin/adduser.txt

                        # notify
                        /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain_Unlocked.png -heading 'Temporary Admin Rights Granted' -description "
                        Please use responsibly. 
                        All administrative activity is logged. 
                        Access expires in 15 minutes." -button1 'OK' > /dev/null 2>&1 &
                    else
                        osascript -e 'tell application "System Events" to display dialog "Password is Incorrect!. Please re-run the program again with the right Password" buttons {"Ok"} default button 1'

                fi
        else
            osascript -e 'tell application "System Events" to display dialog "Please run the program again when you are ready" buttons {"Acknowledge"} default button 1'
            exit 0
        fi

For Service Desk to run to generate the passcode for the policy to run

#!/bin/bash

#Prompt for the number given by User
Numbers="$(osascript -e 'Tell application "System Events" to display dialog "Enter the Passcode given by the User" default answer ""' -e 'text returned of result' 2>/dev/null)"

#Generate the password by using $Numbers x Random Algorithm
Password=$(expr $Numbers * 10)
Password2=$(expr $Password + 25)
Password3=$(expr $Password2 / 4)

#display the password
if [ -n "$Numbers" ];
    then
        osascript -e 'tell application "System Events" to display dialog "Please give this password back to users '"$Password3"'" buttons {"Acknowledge"} default button 1'
        exit 0

    else
    osascript -e 'tell application "System Events" to display dialog "No input" buttons {"Acknowledge"} default button 1'
    exit 0
fi

OMG Lol worked like a charm. Wow. This is great. Khey thank you so much.

I spoke too soon. It granted admin rights fine but well after 15 minutes the user still had admin rights. I restarted about 30 minutes later and that user account still had admin rights.

I did notice that the time is set to 900 seconds which is 15 minutes but this line says echo $TIME " by " $USERNAME >> /var/tempAdmin/30minAdmin.txt

SO I changed it to 15minAdmin.txt

Not sure if that means or does anything.

Whats the script used for the sc_temp_admin trigger?

Thanks! @khey

Just to add to your post... The script would fail if multiple users are logged in. Causes the script to add all of the logged in users to the 30minAdmin.txt. The following will return current active user.

Replace USERNAME=who |grep console| awk '{print $1}' with USERNAME=stat -f "%Su" /dev/console

I must be missing something because this does not seem to work.

I have 2 policies in self service

one for user
one for helpdesk

users runs policy gets number
helpdesk gets number and returns number
user acknowledges and 2 files are generated in /var/tempadmin

user not made into admin
error in policy log is Group not found.

@sardesm can you cat /var/tempAdmin/30minAdmin.txt ? be sure it only has one username in there. i had _mbsetupuser lingering, and then multiple users logged in which will result in group not found as well

Restarted, did everything again and it seems to be working, weird.

Hi @sardesm ,

I think its got to do with OSX. When you granted user an admin privilege, there will be a pop up saying you need to restart for the access to take effect. This is not always required. When using the script above, it actually gives the user admin access without a restart and i have tested it by installing a pkg without restarting.

For me giving admin rights to user would be scary. I always think of what I would do given admin rights with my knowledge of the OS. We have lots of linux power users who use Macs and it wouldn't be that hard for them to figure how to remove any plan for me to take their access away again. Given basic internet search, they could easily remove themselves from jamf and go rogue....so admin rights to users scares me. Hopefully you guys trust your people.

@roiegat what you said is completely right. Again, our job as administrators is to support the users not restrict them. Most of the mac users are developers and they normally would have admin rights. I have no problem giving them admin rights as long as their apps are up to date.

this temporary admin right works best when users are often travelling and sometime they need to do some basic software install or update. i am currently working on setting up VNC over SSH tunnel so we dont have to give out the admin right.