2 weeks ago
I'm relatively new to using JAMF and I've looking around at the community posts but I haven't found an existing post that answers this. I'm trying to create a search criteria using the Extension Attribute function which would work for an Advanced Computer Search that'd allow me to check if a Local User Account on a MacBook has admin rights or not.
When I check an individual device I can see a field under Local User Accounts that has a Yes or No to indicate if the local account has admin rights or not but I'm not having any luck with trying to create a filter for this so I can see which devices have admin accounts.
Any assistance with this would be appreciated.
2 weeks ago
This is still a very straightforward method:
Create a new EA:
groupmember=$(dscl . -read Groups/admin GroupMembership | cut -c 18- | sed -E -e 's/(root|yourjamfmanagementaccount)//g')
echo "<result>$groupmember</result>"
Then create a new Smart Group leveraging that EA. Remember that the group membership will only be recomputed after a recon is run on the device.
2 weeks ago
Here is the snippet that I have used:
#!/bin/zsh
declare -a adminUsers
declare -a result
function join { local IFS="$1"; shift; echo "$*"; }
function members { dscl . -list /Users | while read user; do printf "$user "; dsmemberutil checkmembership -U "$user" -G "$*"; done | grep "is a member" | cut -d " " -f 1; }
adminUsers=$( members "staff" )
result=$(join , ${adminUsers[@]})
echo "<result>$result</result>"
2 weeks ago
Thank you both! I'll give these a try and report back, I appreciate the help with this.
Friday
We do something similar but have an array of excluded accounts. That way we can create a Smart Group based upon the EA, that will automatically deploy a script to remove admin rights, again excluding our admin accounts, since we are a zero trust environment.