Temporary User Promotion - Doesn't work after having previously granted admin rights

SteveSOE
New Contributor III

I have a user that I deployed TUP to that finds that it no longer works after it was previously successful:

  • User has been able to elevate rights first time around
  • Count down timer expired (which we have set to 60 minutes)
  • User selects 'Request admin privileges' again from JC menu
  • JC authenticates with our IdP (Entra) successfully
  • Authentication window closes, JC menu item still reads 'request admin privileges', countdown timer doesn't start, as if nothing happened.
  • User is still a 'standard' user in 'Users & Groups'

Has anybody else witnessed such behaviour?

8 REPLIES 8

mm2270
Legendary Contributor III

Are you using version 2.35.0 of Jamf Connect by any chance? I'm testing JC out and recently pushed the latest version to a couple of my test Macs and I'm seeing the same issue. This wasn't happening under version 2.34.0 from what I recall. It only seems to have started with 2.35.0, so I have a feeling there is a defect in this release.

SteveSOE
New Contributor III

Funnily enough our effected user is on 2.34 - I was about to update to them 2.35 to see if that fixes the issue. If I updated and the issue persists, I guess we'll know it isn't version related.

DDC
New Contributor

I just had this happen to me after weeks of successfully testing, I believe the problem is a missing option called User Promotion Limit not available in the 2.34.0 schema. If you create a new configuration profile using the 2.35.0 schema, the User Promotion Limit is available, this key allows you to change the number of promotions per month. Don't forget to upgrade the Jamf Connect client to 2.35.0 when trying this out.

https://learn.jamf.com/en-US/bundle/jamf-connect-documentation-2.35.0/page/Configuring_Privilege_Ele...

DDC
New Contributor

Follow up to my previous post, this seems to solve the issue but you'll also need to run the following command to reset the Promotion Limit.

sudo defaults delete com.jamf.connect.state TimeTamperingDetected

mm2270
Legendary Contributor III

I made sure I'm using the Jamf Connect Configuration.app that is the same as the latest version, and my profile contains the User Promotion Limit key in it. Still doesn't work for me.

I haven't tried deleting the com.jamf.connect.state TimeTamperingDetected key, assuming that even exists on our Macs, but I'll look at that.

SteveSOE
New Contributor III

My user updated to JC 2.35 via Self Service and was briefly able to request admin rights. They then got a pop-up to say 'Time Tampering Detected'

I applied a new 2.35 config profile with User Promotion Limit set to 0.

Ran the command "sudo defaults delete com.jamf.connect.state TimeTamperingDetected"

User now sees the following:

Screenshot 2024-05-23 at 9.49.16 AM.png

SteveSOE
New Contributor III

I set the User Promotion Limit to 1000 instead; the user could then elevate. (I was thinking "0 = infinite" like some of the attributes in Jamf Connect Configuration.app)

One odd side-effect - the JC menubar icon disappeared afterwards.

DDC
New Contributor

I had the same line of thought when I started testing out this solution and set the value to "0" but now I'm using "1000" like you mentioned and so far no issues.