Jamf connect 2.35 + Requesting admin privileges

CraftyCilantro5
New Contributor III

Hello everyone
Pretty new to jamf so please excuse me.
We are in the process of using jamf connect to elevate access currently still testing.

I had one test machine that was running 2.34 elevated access was working i had about ~3minutes left of admin access, then our jamf connect policy decided to trigger (upon checkin) and upgraded to 2.35. All the sudden the request admin button via jamf connect does nothing. I checked 2 other macs that were running 2.35 and both are experiencing the same, requesting admin rights does nothing.

Opening jamf connect to collect logs, I see one error that stands out

Process: Jamf Connect, Category: PrivilegeElevation, Contents: Elevation failed, role base elevation is active but OIDCAdminAttribute is not set

And this is where it gets weird for me, initially our OIDCAdminAttribute was set to role
After it broke, jamf support told me is incorrect and to change it to either groups or roles & to delete the jamf connect state plist every change role>groups>roles. However, none seem to work so i removed OIDCAdminAttribute entirely but still receive the same error

Process: Jamf Connect, Category: PrivilegeElevation, Contents: Elevation failed, role base elevation is active but OIDCAdminAttribute is not set

I'm currently still talking with support to figure out but every and all help would be useful

Thank you!

1 ACCEPTED SOLUTION

CraftyCilantro5
New Contributor III

FIX:
The release notes led me to believe that somehow our testing was working but only because it was unintentionally working.

  • Users no longer have unintended access to the privilege elevation feature if role-based elevation is configured using the User Promotion Role (UserPromotionRole) setting and the Admin Attribute (OIDCAdminAttribute) setting is not configured.

I was missing something.. how can I make sure that its intentionally working? By adding a verification.
So, I looked through the Jamf Connect Configuration and there it was verify user promotion. I added it to the plist

<key>VerifyUserPromotion</key>
<true/>

And now its working !

View solution in original post

4 REPLIES 4

CraftyCilantro5
New Contributor III

Update: I uninstalled 2.35 using the jamf connect 2.35 uninstaller, went and downloaded 2.34, demoted myself back to a standard user, rebooted. Requested access for admin privileges and its working.

This Plist has no OIDCAdminAttribute key and subsequent string.

CraftyCilantro5
New Contributor III

FIX:
The release notes led me to believe that somehow our testing was working but only because it was unintentionally working.

  • Users no longer have unintended access to the privilege elevation feature if role-based elevation is configured using the User Promotion Role (UserPromotionRole) setting and the Admin Attribute (OIDCAdminAttribute) setting is not configured.

I was missing something.. how can I make sure that its intentionally working? By adding a verification.
So, I looked through the Jamf Connect Configuration and there it was verify user promotion. I added it to the plist

<key>VerifyUserPromotion</key>
<true/>

And now its working !

sanfordbanks
New Contributor

could you share what you plist file looks like?

Sorry for the late response!
We actually moved away from trying to use the jamf connect version of admin on demand. Wasnt fesible for our org. We moved over to robjschroeder's elevate admin script with swiftdialog. Cant say enough good things about it, very customizable.


GitHub - robjschroeder/Elevate: Elevate is a script that can be ran from Jamf Pro to help elevate a ...