Jamf Nation Community

SteveSOE · ‎05-21-2024

I have a user that I deployed TUP to that finds that it no longer works after it was previously successful:

User has been able to elevate rights first time around
Count down timer expired (which we have set to 60 minutes)
User selects 'Request admin privileges' again from JC menu
JC authenticates with our IdP (Entra) successfully
Authentication window closes, JC menu item still reads 'request admin privileges', countdown timer doesn't start, as if nothing happened.
User is still a 'standard' user in 'Users & Groups'

Has anybody else witnessed such behaviour?

mm2270 · ‎05-21-2024

Are you using version 2.35.0 of Jamf Connect by any chance? I'm testing JC out and recently pushed the latest version to a couple of my test Macs and I'm seeing the same issue. This wasn't happening under version 2.34.0 from what I recall. It only seems to have started with 2.35.0, so I have a feeling there is a defect in this release.

SteveSOE · ‎05-21-2024

Funnily enough our effected user is on 2.34 - I was about to update to them 2.35 to see if that fixes the issue. If I updated and the issue persists, I guess we'll know it isn't version related.

DDC · a month ago

I just had this happen to me after weeks of successfully testing, I believe the problem is a missing option called User Promotion Limit not available in the 2.34.0 schema. If you create a new configuration profile using the 2.35.0 schema, the User Promotion Limit is available, this key allows you to change the number of promotions per month. Don't forget to upgrade the Jamf Connect client to 2.35.0 when trying this out.

https://learn.jamf.com/en-US/bundle/jamf-connect-documentation-2.35.0/page/Configuring_Privilege_Ele...

DDC · a month ago

Follow up to my previous post, this seems to solve the issue but you'll also need to run the following command to reset the Promotion Limit.

sudo defaults delete com.jamf.connect.state TimeTamperingDetected

mm2270 · a month ago

I made sure I'm using the Jamf Connect Configuration.app that is the same as the latest version, and my profile contains the User Promotion Limit key in it. Still doesn't work for me.

I haven't tried deleting the com.jamf.connect.state TimeTamperingDetected key, assuming that even exists on our Macs, but I'll look at that.

SteveSOE · a month ago

My user updated to JC 2.35 via Self Service and was briefly able to request admin rights. They then got a pop-up to say 'Time Tampering Detected'

I applied a new 2.35 config profile with User Promotion Limit set to 0.

Ran the command "sudo defaults delete com.jamf.connect.state TimeTamperingDetected"

User now sees the following:

SteveSOE · a month ago

I set the User Promotion Limit to 1000 instead; the user could then elevate. (I was thinking "0 = infinite" like some of the attributes in Jamf Connect Configuration.app)

One odd side-effect - the JC menubar icon disappeared afterwards.

DDC · a month ago

I had the same line of thought when I started testing out this solution and set the value to "0" but now I'm using "1000" like you mentioned and so far no issues.

SteveSOE · Thursday

I'm seeing this issue rear its head again.

We didn't upgrade to 2.36 or beyond and stuck with 2.35. Our Config Profile schema is 2.35 also.

I have users who reported the issue as fixed a couple of weeks ago running into it again. Running the sudo defaults delete com.jamf.connect.state TimeTamperingDetected command again from a policy seems to fix it up for them temporarily, then about an hour later the issue reoccurs.

I'll be doing some testing with latest version of JC and will try replacing the config profile with one created in Jamf Connect Configuration App (as opposed to the one I have created within Jamf Pro 'Applications & Custom Settings/Jamf Applicaitons)

Any stories of similar experiences?

Jamf Nation Community

Temporary User Promotion - Doesn't work after having previously granted admin rights