Jamf Nation Community

beeboo · ‎11-13-2019

things like homebrew or nginx, etc, require sudo access to install/update.

is there a safe way to maintain their standard user rights and just give them access to sudo certain applications?

Any application that i can package in composer or a curl script i have, but applications (namely) homebrew (with xcode CLI) require sudo access to install and update. Homebrew script (found here) doesnt work in SelfService but works as a script on the local machine, assuming its timing out waiting for a prompt even though it doesnt prompt in the OS (maybe i need to add PPPC for osascript and terminal?)

i dont want the user to have admin rights elsewhere like creating an account or deleting the jamf binary, but they would still need to do their job.

teodle · ‎11-13-2019

try this

beeboo · ‎11-18-2019

@teodle is this something you have implemented too?

do do you guys go about managing this or scaling this for larger devs?

teodle · ‎11-18-2019

No but maybe we should. Haven't looked into scaling this but I'm sure it's possible.

KyleEricson · ‎11-18-2019

@jcheLC Have you seen the SAP app Privileges Link Here

beeboo · ‎11-19-2019

@teodle how do you guys provide temp admin access or are all your users basically admin (or at least if they have admin it wont be removed)

@kerickson Yup, but it seems like a temp stopgap - is the usage track-able?
whats stop the users from just running it all day and being admin basically all day? 😞

zachary_fisher · ‎11-19-2019

Have you looked at the jamf connect Pam module ?

zachary_fisher · ‎11-19-2019

https://docs.jamf.com/jamf-connect/1.6.0/administrator-guide/Pluggable_Authentication_Module_(PAM).html

teodle · ‎01-02-2020

@jcheLe
We have a promote to admin policy that can be applied to a single local user or all local users but then someone has to remember to demote them back to standard users.

merps · ‎01-03-2020

Jamf has this tool on their github: MakeMeAnAdmin

rafaelnr · ‎03-06-2020

@jchele ...could you provide a copy of that policy? thanks!

rafaelnr · ‎03-06-2020

@teodle would you mind sharing that policy? Thanks!

bwoods · ‎09-22-2020

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

Make sure to run this script with a Jamf policy
I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.

#!/bin/bash

# Identify the username of the logged-in user

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser ALL= (ALL) ALL
$currentUser    ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;     ## Sucess
exit 1;     ## Failure

all users are standard users but some require sudo access