I can think of a couple approaches off the top of my head, so I'll babble through them and see if anything sticks for you:

• Create an extension attribute that looks for the existence of a file and reports true if found
• Have the restriction scope include a smart group where we (programmatically) will store the people who need access
• Put a policy in Self Service that "touch"es the file in step one and then updates inventory
• The smart group then sees the computer has the extension attribute and excludes them from the restriction
• Then some other policy or process removes the file and re-updates inventory taking them back out of the exclusion smart group

This could also be done by having a script that directly sets/unsets the extension attribute via an API call. That would be faster but requires comfort and fluency with API scripting.

Does that make sense? Essentially, you are right: we are using the temporary admin process, but instead of running a script to promote/demote the user, we are populating a smart group that excludes the computer from being restricted.

I've done something like this for a couple of clients in the past, so let me know if you have questions about my idea.

Good luck!

Interesting! I think that may work. I’ll do some testing. Thanks!

Hi, @mwu1876,

With JNUC fresh in mind, I remembered to pop back into Jamf Nation and saw a reply I had missed. Were you able to get it working the way you wanted?