I have traversed this site, looking for scripts or other means to provide users temporary admin rights. Most discussions provide two scripts, however, they do no show how to configure them from within Jamf JSS. One such example is from the github site JPDyson https://www.jamf.com/jamf-nation/discussions/6990/temporary-admin-using-self-service.
My question is, how are these scripts set up in Jamf JSS, so that they will work?
Or, if there is a better approach, that would be great to know...
That sounds like a good way to do this. I like that i can let my help desk add the user to the static group.
Can you post your scripts on this
Thanks
@agrant
Man this sounds legit. If you could compose a step by step guide here that was be awesome, I am interested in testing this method out myself as well.
So the first script to elevate the current user:
#!/bin/sh
U=`who |grep console| awk '{print $1}'`
# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $U -t user adminAnd the second script was from https://www.jamf.com/jamf-nation/discussions/21695/remove-local-admin-rights The actual script we used was:
#!/bin/sh
# This script removes all users except root and YOURADMINACCOUNTHERE from the admin group
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNTHERE" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
doneReplacing YOURADMINACCOUNTHERE with the name of your admin / management account. Hope this helps.
So just those two Policies > Scripts really & its working fine for us. I can post some more details if needed just lemme know.
@agrant Thank you for this. If I need to add more accounts that need to stay admins would the following work? I am not all that good at scripting. Appreciate it.
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNTHERE" ] && [ "$user" != "YOURADMINACCOUNTHERE" ] && [ "$user" != "YOURADMINACCOUNTHERE" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
Yeh it looks like it will work. Hands up though - I'm not a scripting wizard.
I'd test it locally on your Mac to make sure it behaves like you expect before you upload to JAMF and push to any clients etc. Just to make sure.
@agrant Thanks for the scripts. We were able to run both successfully, however all prior restrictions set in the profile were all removed. For instance, I have several items in system preferences turned off for our students and those did not go back to being restricted. This is happening on the new M1 chip Macbook Airs, which I know have some more complicated security protocols. Any ideas??
@hannahnoble I would suggest looking into CyberArk EPM if you want granular control over what permissions a standard users has. For instance, you can remove their admin permissions and grant them access to System Preferences.
Hello Everyone,
I am running into issue where I can run this script for users to have Temp Admin access for 15mins but it doesn't remove the access after 15mins and also I was reading somewhere in Jamf where it said if you restart the computer or log out, that will also help to remove the user from Temp Admin access. If you don't do anything, after that 15mins set or 30mins set, it doesn't remove it until you restart it or log off.
Does anyone know if this is because of script or do I have to do something different to get the user removed from Admin access after 15mins or 30mins?
This is script I used which is from Jamf agent: https://github.com/jamf/MakeMeAnAdmin
Thank You
One thing to be aware of is the Users with admin rights are able to create other users and give those admin rights...
I have a quick script which writes all existing admin accounts to a text file then when the Admin rights are removed or timed out another script is run to do a comparison to the original Admin users and move any new accounts back to standard accounts, then write these new accounts to an EA.
this helps me close this same loophole
We are going with the "MakeMeAnAdmin" script, though I was asked to also build out a mechanism in which the user would be required to enter the reason they are giving themselves temporary administrator rights.
I am using 3 different steps to accomplish this; 1) MakeMeAnAdmin policy with a custom trigger, 2) Self Service policy with a custom script which prompts the user for a reason (documents it in a file) and then triggers the MakeMeAnAdmin policy, and 3) an Extension Attribute which scrapes the "reason" file, and populates that information in the devices Extension Attribute section. Since there is not a way (that I am aware of) to notify the Jamf admin when a policy is run, this also allows you to create a Smart Group (w/ email notifications on group change) notifying you when a user has run this policy.
I have tested this process, and it does work as I intended. As I would definitely classify myself as a scripting noob, please excuse any glaring mistakes with the code below. Hopefully this may help someone out in a similar situation.
Script to prompt for reason
#!/bin/sh
# Display dialog asking the user for the reason why they need administrator rights
adminReason=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "You are about to be granted with temporary administrator rights. Please describe what you intend to do with your temporary admin rights." with title "Temporary Admin Rights" default answer "")
end tell
END)
# While loop to have the user provide an answer of at least so many characters long
while True ; do
[[ ${#adminReason} -ge 20 ]] && break
echo "Sorry that string isnt long enough."
adminReason=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "You did not provide a sufficient answer. As you are about to be granted with temporary administrator rights. Please describe what you intend to do with your temporary admin rights." with title "Temporary Admin Rights" default answer "")
end tell
END)
done
# Get Current user
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
# Specify output file path
filepath="/Library/Application Support/companyName/Extension Attributes/"
# Get Date & Time
dt=`date '+%m-%d-%y_%H:%M:%S'`
# Check to see if the Users output filepath exists
if [[ -d ${filepath} ]]; then
echo "Extension Attribute folder exists. Moving on."
else
echo "Extension Attribute folder does not exist. Creating it now"
mkdir "$filepath"
fi
# Create Reason file
file="${filepath}AdminReason.txt"
echo "${dt}_${loggedInUser}_${adminReason}" >> "$file"
# Run the temporary admin policy
/usr/local/jamf/bin/jamf policy -event tempAdmin
# Notify the user they have been granted temporary admin rights
osascript -e 'display dialog "You now have administrative rights for 15 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"I Understand"} default button 1'
exit 0Extension Attribute scraping the "reason" file
#!/bin/sh
outputFile="/Library/Application Support/companyName/Extension Attributes/AdminReason.txt"
fileContent=$( cat "$outputFile" )
if [[ -e "$outputFile" ]]; then
echo "<result>$fileContent</result>"
else
echo "<result>NotGrantedAdminRights</result>"
fiI like this approach, but the
While True
creates an endless loop of prompts if the user lets that display dialogue timeout.
I believe it's a minute or so before it times out.
The cancel button also does not work with the current setup.
Anyone with code savvy have a better approach for that input for admin request reasons?
is there a way to make myself a temporary admin for much longer than 30 minutes by changing the macOS date to, say, 2030.
In this case, the jamf is not connecting.
Can someone advise?
Thanks
is there a way to make myself a temporary admin for much longer than 30 minutes by changing the macOS date to, say, 2030.
In this case, the jamf is not connecting.
Can someone advise?
Thanks
use the script above and change the amount of time to what you want
use the script above and change the amount of time to what you want
not sure i want to mess with scripts that way. I was thinking of changing the date before/whilst the script is running and then change the date back.
Any advice?
not sure i want to mess with scripts that way. I was thinking of changing the date before/whilst the script is running and then change the date back.
Any advice?
changing the date wont work, the script is only written for 30 minutes, unless you change the script that is.
copy the script, leave 1 policy as a 30 minute script and then make the other however long you want, that'll give you a few options
Advice is don't do that.
Advise is modify, or copy the script. That's what it is designed for.
FWIW, I have 5-minute, 60 minute, and 4 hour versions of the script. I scope them based on role.
We have this setup a slightly different way.
1) A policy > script to elevate current user to admin, available in self-service - This is scoped to a static group, 'admin users'. We manually add machines into this group when admin is needed. i.e for software installs etc.
2) A policy > script that removes all users from the admin group, except for our management account. This is scoped to all machines. Triggered at startup.
Only machines that are in the static group have the elevate to local admin script available in self-service. Admin resets back to standard user on reboot for all machines at startup.
Works well for us - We often have a ticket open when someone needs temporary admin (Software installs etc) so we simply add their machine to the static group and remove it once they're finished.
If anyone needs the scripts let me know & I'll dig them out.
Do you have those 2 scripts by any chance?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.