Temporary User Promotion - Doesn't work after having previously granted admin rights

SteveWalker
New Contributor III

I have a user that I deployed TUP to that finds that it no longer works after it was previously successful:

  • User has been able to elevate rights first time around
  • Count down timer expired (which we have set to 60 minutes)
  • User selects 'Request admin privileges' again from JC menu
  • JC authenticates with our IdP (Entra) successfully
  • Authentication window closes, JC menu item still reads 'request admin privileges', countdown timer doesn't start, as if nothing happened.
  • User is still a 'standard' user in 'Users & Groups'

Has anybody else witnessed such behaviour?

12 REPLIES 12

mm2270
Legendary Contributor III

Are you using version 2.35.0 of Jamf Connect by any chance? I'm testing JC out and recently pushed the latest version to a couple of my test Macs and I'm seeing the same issue. This wasn't happening under version 2.34.0 from what I recall. It only seems to have started with 2.35.0, so I have a feeling there is a defect in this release.

SteveWalker
New Contributor III

Funnily enough our effected user is on 2.34 - I was about to update to them 2.35 to see if that fixes the issue. If I updated and the issue persists, I guess we'll know it isn't version related.

DDC
New Contributor

I just had this happen to me after weeks of successfully testing, I believe the problem is a missing option called User Promotion Limit not available in the 2.34.0 schema. If you create a new configuration profile using the 2.35.0 schema, the User Promotion Limit is available, this key allows you to change the number of promotions per month. Don't forget to upgrade the Jamf Connect client to 2.35.0 when trying this out.

https://learn.jamf.com/en-US/bundle/jamf-connect-documentation-2.35.0/page/Configuring_Privilege_Ele...

DDC
New Contributor

Follow up to my previous post, this seems to solve the issue but you'll also need to run the following command to reset the Promotion Limit.

sudo defaults delete com.jamf.connect.state TimeTamperingDetected

mm2270
Legendary Contributor III

I made sure I'm using the Jamf Connect Configuration.app that is the same as the latest version, and my profile contains the User Promotion Limit key in it. Still doesn't work for me.

I haven't tried deleting the com.jamf.connect.state TimeTamperingDetected key, assuming that even exists on our Macs, but I'll look at that.

SteveWalker
New Contributor III

My user updated to JC 2.35 via Self Service and was briefly able to request admin rights. They then got a pop-up to say 'Time Tampering Detected'

I applied a new 2.35 config profile with User Promotion Limit set to 0.

Ran the command "sudo defaults delete com.jamf.connect.state TimeTamperingDetected"

User now sees the following:

Screenshot 2024-05-23 at 9.49.16 AM.png

SteveWalker
New Contributor III

I set the User Promotion Limit to 1000 instead; the user could then elevate. (I was thinking "0 = infinite" like some of the attributes in Jamf Connect Configuration.app)

One odd side-effect - the JC menubar icon disappeared afterwards.

I had the same line of thought when I started testing out this solution and set the value to "0" but now I'm using "1000" like you mentioned and so far no issues.

SteveWalker
New Contributor III

I'm seeing this issue rear its head again.

We didn't upgrade to 2.36 or beyond and stuck with 2.35. Our Config Profile schema is 2.35 also.

I have users who reported the issue as fixed a couple of weeks ago running into it again. Running the sudo defaults delete com.jamf.connect.state TimeTamperingDetected command again from a policy seems to fix it up for them temporarily, then about an hour later the issue reoccurs. 

I'll be doing some testing with latest version of JC and will try replacing the config profile with one created in Jamf Connect Configuration App (as opposed to the one I have created within Jamf Pro 'Applications & Custom Settings/Jamf Applicaitons)

Any stories of similar experiences?

Mohamad
New Contributor II

We upgrade to 2.37 is the same 

Same for us as well. Currently when we click the the "Request Elevated Permissions" nothing happens when using Okta as the IDP. When testing Okta-OIDC we got to the authentication page atleast but still nothing.

SteveWalker
New Contributor III

We saw this issue stabilse after I replaced the menu-bar config-profile using one created using the Jamf Connect Configuration.app 

Uploading the created config profile to Applications&Custom Settings/Upload 

(rather than create one under Applications & Custom Settings/Jamf Applications, which features a drop-down for different 'schema')

Appears this reoccurs upon the release of a new version of Jamf Connect, where a config profile doesn't match the latest schema available (even if that's not the version you're running)

 

Have yet to test 2.38..