I don't believe @Andrina is using an SG to capture who needs it removed. She is doing it with a LaunchDaemon that is dropped when the user is granted temp admin. It's in the TempAdmin.sh script.

You could edit that TempAdmin.sh script to touch a file in /Library/Application Support/JAMF/Receipts and scope off of that if you want to keep track of them. You'd of course need to also remove that when you removed temp admin rights and re-run a recon.

I guess I'm confused on how removeTempAdmin.sh gets called from JSS. TempAdmin.sh creates the plist and grants the admin access. The LaunchDaemon then removes the admin access after the allotted time. I thought at that time the computer attempts to talk to the JSS to see if there are any policies to run, and because of a Smart Group, it runs the removeTempAdmin.sh to remove the plist. This may be me blending two different sessions or topics together though.

RemoveTempAdmin.sh gets called by the LaunchDaemon. It is a policy with a custom trigger. See this portion of the LaunchDaemon code in TempAdmin.sh:

<key>ProgramArguments</key> 

    <array> 

        <string>/usr/sbin/jamf</string>

        <string>policy</string>

        <string>-trigger</string>

        <string>adminremove</string>

    </array>

That is the meat of the LaunchD. It calls the jamf binary using the following syntax:

/usr/sbin/jamf policy -trigger adminremove

So you'd have to have your removal policy set to trigger off of "adminremove".

Make sense?

Yes! Thanks so much.

Exactly what Steve said Thanks @stevewood