things like homebrew or nginx, etc, require sudo access to install/update.
is there a safe way to maintain their standard user rights and just give them access to sudo certain applications?
Any application that i can package in composer or a curl script i have, but applications (namely) homebrew (with xcode CLI) require sudo access to install and update. Homebrew script (found here) doesnt work in SelfService but works as a script on the local machine, assuming its timing out waiting for a prompt even though it doesnt prompt in the OS (maybe i need to add PPPC for osascript and terminal?)
i dont want the user to have admin rights elsewhere like creating an account or deleting the jamf binary, but they would still need to do their job.
@teodle how do you guys provide temp admin access or are all your users basically admin (or at least if they have admin it wont be removed)
@kerickson Yup, but it seems like a temp stopgap - is the usage track-able?
whats stop the users from just running it all day and being admin basically all day? :(
Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.
#!/bin/bash # Identify the username of the logged-in user currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None]); username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'` # Create file named "standard" and place in /private/tmp/ touch /private/tmp/standard # Populate "standard" file with desired permissions echo "$currentUser ALL= (ALL) ALL $currentUser ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard # Move "standard" file to /etc/sudoers.d mv /private/tmp/standard /etc/sudoers.d # Change permissions for "standard" file chmod 644 /etc/sudoers.d/standard exit 0; ## Sucess exit 1; ## Failure