all users are standard users but some require sudo access

beeboo
Contributor

things like homebrew or nginx, etc, require sudo access to install/update.

is there a safe way to maintain their standard user rights and just give them access to sudo certain applications?

Any application that i can package in composer or a curl script i have, but applications (namely) homebrew (with xcode CLI) require sudo access to install and update. Homebrew script (found here) doesnt work in SelfService but works as a script on the local machine, assuming its timing out waiting for a prompt even though it doesnt prompt in the OS (maybe i need to add PPPC for osascript and terminal?)

i dont want the user to have admin rights elsewhere like creating an account or deleting the jamf binary, but they would still need to do their job.

12 REPLIES 12

teodle
Contributor II

beeboo
Contributor

@teodle is this something you have implemented too?

do do you guys go about managing this or scaling this for larger devs?

teodle
Contributor II

No but maybe we should. Haven't looked into scaling this but I'm sure it's possible.

KyleEricson
Valued Contributor II

@jcheLC Have you seen the SAP app Privileges Link Here

Read My Blog: https://www.ericsontech.com

beeboo
Contributor

@teodle how do you guys provide temp admin access or are all your users basically admin (or at least if they have admin it wont be removed)

@kerickson Yup, but it seems like a temp stopgap - is the usage track-able?
whats stop the users from just running it all day and being admin basically all day? :(

zachary_fisher
New Contributor III

Have you looked at the jamf connect Pam module ?

zachary_fisher
New Contributor III

https://docs.jamf.com/jamf-connect/1.6.0/administrator-guide/Pluggable_Authentication_Module_(PAM).html

teodle
Contributor II

@jcheLe
We have a promote to admin policy that can be applied to a single local user or all local users but then someone has to remember to demote them back to standard users.

merps
Contributor III

Jamf has this tool on their github: MakeMeAnAdmin

rafaelnr
New Contributor II

@jchele ...could you provide a copy of that policy? thanks!

rafaelnr
New Contributor II

@teodle would you mind sharing that policy? Thanks!

bwoods
Valued Contributor

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

  1. Make sure to run this script with a Jamf policy
  2. I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.
#!/bin/bash

# Identify the username of the logged-in user

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser ALL= (ALL) ALL
$currentUser    ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;     ## Sucess
exit 1;     ## Failure