This may be in the slides when they are posted. What is the Smart Group criteria for catching the computers that need to run removeTempAdmin.sh?
Solved
Smart Group for MakeMeAdmin
+6Best answer by stevewood
I don't believe @Andrina is using an SG to capture who needs it removed. She is doing it with a LaunchDaemon that is dropped when the user is granted temp admin. It's in the TempAdmin.sh script.
You could edit that TempAdmin.sh script to touch a file in /Library/Application Support/JAMF/Receipts and scope off of that if you want to keep track of them. You'd of course need to also remove that when you removed temp admin rights and re-run a recon.
+38I don't believe @Andrina is using an SG to capture who needs it removed. She is doing it with a LaunchDaemon that is dropped when the user is granted temp admin. It's in the TempAdmin.sh script.
You could edit that TempAdmin.sh script to touch a file in /Library/Application Support/JAMF/Receipts and scope off of that if you want to keep track of them. You'd of course need to also remove that when you removed temp admin rights and re-run a recon.
+6I guess I'm confused on how removeTempAdmin.sh gets called from JSS. TempAdmin.sh creates the plist and grants the admin access. The LaunchDaemon then removes the admin access after the allotted time. I thought at that time the computer attempts to talk to the JSS to see if there are any policies to run, and because of a Smart Group, it runs the removeTempAdmin.sh to remove the plist. This may be me blending two different sessions or topics together though.
+38RemoveTempAdmin.sh gets called by the LaunchDaemon. It is a policy with a custom trigger. See this portion of the LaunchDaemon code in TempAdmin.sh:
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/jamf</string>
<string>policy</string>
<string>-trigger</string>
<string>adminremove</string>
</array>That is the meat of the LaunchD. It calls the jamf binary using the following syntax:
/usr/sbin/jamf policy -trigger adminremoveSo you'd have to have your removal policy set to trigger off of "adminremove".
Make sense?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.