Tahoe - MakeMeAnAdmin Recently Stopped Working?

Is the shell environment on those devices zsh?

This may work for you. I wrote this a few months ago. It uses Jamf parameters 4 and 5. Parameter 4 is the length of time in seconds you want someone to be an admin. Parameter 5 allows you to activate a window to tell the user how long they will be an admin. Swift Dialog has to be installed for the window to launch. What should happen at the end of time you defined is that th user will be put back to standard and the launch daemon and script should be deleted. In the script there is a step to spawn a new process to handle the removal. 

#!/bin/zsh --no-rcs

:<<ABOUT_THIS_SCRIPT
---------------------------------------------------------------------------------------------------
Promotes current logged in user to admin for the number of seconds defined in parameter 4. 
If the user is already an admin, the script exits.

This script can be used with Self Service or be attached to a policy that needs for the user to
be temporarily elevated to admin. Use parameter 5 to specify if an alert window is needed to inform
the user when their temporary admin status will end. SWIFT DIALOG IS NEEDED FOR THE ALERT WINDOW.

Jamf Pro Parameters
4 - Enter time (in seconds) for how long a user is granted admin status
5 - Enter "yes" to display a Dialog window showing when admin status will end

VERSION 1

1/14/2026 | Howie Canterbury
---------------------------------------------------------------------------------------------------
ABOUT_THIS_SCRIPT

# Timer setting
tempSeconds="${4:-600}" # Defaults to 600 seconds (10 minutes) if nothing entered in parameter 4

# Admin access end time calculation
epoch_time=$(/bin//bin/date +%s)
admin_end_epoch=$(( "${epoch_time} + "${tempSeconds} ))
admin_end_time=$(/bin//bin/date -r ${admin_end_epoch} +%H:%M )

# Display message
display_message="$5"

# Launch daemon
launchDaemon="/Library/LaunchDaemons/com.eleven9.tempadmin.plist"

# Demote user script
tempAdminScript="/Library/Scripts/temp_admin.sh"

# Who is the current logged in user?
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

# Check if user is already an admin
isAdmin=$(dseditgroup -o checkmember -m "$currentUser" admin | awk '{print $1}')

# Function for displaying message to user about temp admin status
display_dialog() {
	/usr/local/bin/dialog \
	-p \
	-o \
	--bannertitle "Temporary Admin Granted!" \
	--bannerheight "50" \
	--titlefont "colour=white,size=18,shadow=1" \
	--bannerimage "colour=green" \
	--icon "SF=person.badge.shield.checkmark.fill,colour=green" \
	--iconsize "150" \
	--appearance "light" \
	--message "Your temporary admin access will end at ${admin_end_time}. \n\n**Click OK to continue.**" \
	--messageposition "centre" \
	--height "250" \
	--width "500" \
	--button1text "OK" \
	--timer "20"
}

# Promote user to admin if not an admin and install launch daemon and script to demote to standard
if [[ "$isAdmin" == "no" ]]; then
	# Promote user to admin
	echo "Promoting "${currentUser}" to admin..."
	dscl . -append /groups/admin GroupMembership "${currentUser}"

	# Check if display message is activated
	if [[ "$display_message" == "yes" ]]; then
		display_dialog
	else
		echo "Display message is not needed. Continuing..."
	fi

	# Create temp admin script to demote user to standard
	tee "$tempAdminScript" >/dev/null << "EOF"
	#!/bin/zsh --no-rcs

	log_file="/private/var/log/temp_admin.log"

	currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

	echo "$(/bin/date +'%Y-%m-%d %H:%M:%S') - Removing "${currentUser}" from admin group..." >> "$log_file"
	/usr/sbin/dseditgroup -o edit -d "${currentUser}" -t user admin

	echo "$(/bin/date +'%Y-%m-%d %H:%M:%S') - Running inventory" >> "$log_file"
	/usr/local/jamf/bin/jamf recon

	echo "[$(/bin/date +'%Y-%m-%d %H:%M:%S')] Scheduling self-delete..." >> "$log_file"
	# Can't reliably delete ourselves while running; spawn a helper to delete after exit
	/bin/sh -c "sleep 2; /bin/rm -f '$self'" >> "$log_file" 2>&1 &
EOF
	# Set permissions and ownership for script; set script to executable
	/usr/sbin/chown root:wheel "$tempAdminScript"
	/bin/chmod +x "$tempAdminScript"

	# Create launch daemon
	echo "User is not an admin. Promoting to admin. User will be demoted in "${tempSeconds}" seconds; "${admin_end_time}"."
	cat << EOF > "$launchDaemon"
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
		<key>Label</key>
		<string>com.eleven9.tempadmin</string>
		<key>ProgramArguments</key>
		<array>
			<string>/bin/zsh</string>
			<string>-c</string>
			<string>/Library/Scripts/temp_admin.sh</string>
		</array>
		<key>StandardOutPath</key>
		<string>/private/var/log/TempAdminLaunchD.log</string>
		<key>StandardErrorPath</key>
		<string>/private/var/log/TempAdminLaunchDError.log</string>
		<key>RunAtLoad</key>
		<false/>
		<key>StartInterval</key>
		<integer>${tempSeconds}</integer>
		<key>UserName</key>
		<string>root</string>
	</dict>
	</plist>
EOF
	# Set permissions for launch daemon
	chmod 644 "$launchDaemon"
	chown root:wheel "$launchDaemon"

	# Load launch daemon
	/bin/launchctl bootstrap system "$launchDaemon"
else
	echo "User is ALREADY admin! Are you stupid or something?"
	exit 0
fi

Nothing to my knowledge has been adjusted regarding policies, so I’m really hoping nothing related to the shell environment has changed.  Is there a way I could confirm this setting directly in jamf?

While I appreciate the alternate script, I’m moreso wondering if anyone else is having issues with the default jamf provided solution. 

If I have to move to another solution, I suppose I could just roll with the Self Service + and partial Jamf Connect configuration that I confirmed was working, I just don’t know why the original method that worked for months just suddenly broke.  The not knowing why is what is currently confusing me.

Wasn’t sure if in the move from Self Service to Self Service + if something regarding the original workflow was broken.  I may be phrasing this badly - hopefully this makes sense.

What my script does is pretty much the same thing that Jamf’s is doing. I have not used their script, so I don’t know if it works with Tahoe. I don’t see anything in it that would make it not work. I like that their script outputs a log of what the user did during the time they were an admin. Can you post what you see in the policy log? For executing policies, Self Service+ won’t really be different. It should not matter if the user runs the policy through the old or new Self Service.

Yeah, I figured for executing policies that it should be pretty much the same workflow.  I suppose that’s why I’m confused on why it suddenly stopped working. 

The policy log for one of the failed devices is showing the two below results:

And then the second:

Then the second device I mentioned having the issue is also reporting an issue with the group, as shown below:

Both devices had recently gone through new device setup, so the _mbsetupuser makes sense in that regard.  But it’s acting like the administrator group on each device isn’t there? 

Suppose that is why I was thinking maybe something regarding Self Service + rollout might be related, as I can confirm the built in elevation in the menu bar does work despite this suddenly no longer working.

Configuring macOS Privilege Elevation in Self Service+ • Jamf Connect Documentation • Jamf Learning Hub

I just ran Jamf’s script locally on my MacBook Pro using CodeRunner. I changed the current user variable to the name of a test account I created on my Mac as a standard user. To save time, I set the time as admin to 120 seconds. I ran the script and saw that the test user was elevated to admin. Two minutes later the user was set back to a standard account. The only flaw I found was that they delete the user to remove file before the log collection. That will break the command.