I tried using this script but it never removed the admin rights. Any update on this?
What happens if the user adds themselves to the local sudoers when they have elevated themselves?
Changes I made/had to make.
- writing out a
.plist via shell redirection didn't seem to work on Mojave. Used PlistBuddy to write the .plist
- switch to supported load/unload/enable/disable of LaunchDaemons
- lowered time limit to 5 minutes
- changed
jamf binary path
- substitute
echo for printf
- To Do: use
sysadminctl instead of dseditgroup
EDIT: I thought you could use sysadminctl as a drop-in replacement of dseditgroup. Guess you can't...
Note: chanded stdout and stderr variables to sout and serr, respectively. My bad.
U="$(who |grep console| awk '{ print $1 }')"
PPATH="/Library/LaunchDaemons"
PLIST="edu.uwm.uits.brockma9.adminremove.plist"
LOGDIR="/var/uits"
TIME=$(date "+Date:%m-%d-%Y TIME:%H:%M:%S")
mkadminremoved() {
local label="$PLIST"
local string0="/usr/local/bin/jamf"
local string1="policy"
local string2="-event"
local string3="adminremove"
local sout="$LOGDIR/${PLIST%.plist}.out"
local serr="$LOGDIR/${PLIST%.plist}.err"
plistbuddy() { /usr/libexec/PlistBuddy "$@"; }
plistbuddy -c "add :Label string $label"
-c "add :ProgramArguments array"
-c "add :ProgramArguments:0 string $string0"
-c "add :ProgramArguments:1 string $string1"
-c "add :ProgramArguments:2 string $string2"
-c "add :ProgramArguments:3 string $string3"
-c "add :StandardOutPath string $sout"
-c "add :StandardErrorPath string $serr"
-c "add :StartInterval integer 300"
"$PPATH"/"$PLIST"
}
# Message to user they have admin rights for 5 min.
/usr/bin/osascript <<-EOF
tell application "System Events"
activate
display dialog "You now have admin rights to this machine for 5 minutes" buttons {"Let Me at it."} default button 1
end tell
EOF
# Create launchD service to call JSS policy to remove admin rights.
mkadminremoved
#set the permission on the file just made.
chown root:wheel "$PPATH"/"$PLIST"
chmod 644 "$PPATH"/"$PLIST"
# load the removal plist timer.
launchctl enable system/"$PLIST" "$PPATH"/"$PLIST"
launchctl bootstrap system "$PPATH"/"$PLIST"
# build log files in var/uits.
[[ ! -d "$LOGDIR" ]] && mkdir "$LOGDIR"
printf "%s
" "$TIME by $U" >> "$LOGDIR"/5minAdmin.txt
printf "%s
" "$U" >> "$LOGDIR"/userToRemove
# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a "$U" -t user admin
I had to deal with temporary admin rights for a long time. It was everytime a nightmare.
For me, this ended with a new app from SAP: https://github.com/SAP/macOS-enterprise-privileges
And the other side...
The ugly loop was used during testing. I decided to keep it for now.
PPATH="/Library/LaunchDaemons"
PLIST="edu.uwm.uits.brockma9.adminremove.plist"
if [[ -f /var/uits/userToRemove ]]; then
U="$(cat /var/uits/userToRemove)"
for USER in $U; do
printf "%s
" "removing $USER from admin group"
/usr/sbin/dseditgroup -o edit -d "$USER" -t user admin
printf "%s
" "$USER has been removed from admin group"
done
rm -f /var/uits/userToRemove
else
printf "%s
" "going to unload"
launchctl disable system/"$PLIST"
launchctl bootout system/"$PLIST"
printf "%s
" "Completed"
rm -f /Library/LaunchDaemons/"$PLIST"
fi
@JPDyson super new to scripting and Jamf but is there any way you can change the time to 12 hours? By the way your script works awesome! Thank You All.
@meexiong
You need to change:
<key>StartInterval</key>
<integer>1800</integer>
Which is 1800 seconds (30 minutes). To:
<key>StartInterval</key>
<integer>43200</integer>
Which is 43200 seconds (12 hours).
StartInterval tells this LaunchDaemon to start every N units of time. It, in-turn, executes what it is told to execute.
instead of the timer counting down, can this script do an LDAP Group lookup and give the users in that specific LDAP group admin right and remove it when the user is remove from the LDAP group?
Also is there really a way to catcher the logs from the time Admin right is activated and it end?
Sorry and Thank You for all the help.
NVM it won't work the way we had it setup here. Thanks though.
