Hey guys,
I'm looking for some ideas to get a customers request working.
This is what to do: a user should be able to start a workflow to request local admin privileges for his mobile AD account. Each user has a standard account and some users have additional accounts for doing all the administrative stuff. Only these admin accounts should be able to start the workflow.
When the workflow is started, an email should be generated and sent to a specific person or group. If the person gives his OK, the user will get his privileges.
The privileges should be limited to a specific time, such as one week, one month or one year.
Here is what I thought about and what is possible with my current knowledge:
Adding a user as local admin is simple; just add the user to the local admin group.
To make sure that the account will be deleted from the local admin group after the specified time, I'd like to use a LaunchDaemon job. I've done this before to add a delay for running software updates, this works fine. This should be possible for a dscl command too.
The currently logged in user could be identified without using login in Self Service by reading the currently logged in /dev/console user.
When the user is running the policy via Self Service, a dialog via jamfhelper could be generated to ask the user if this account should be asked for being local admin or a reject dialog if the user is doing this request with a non-authorized account.
I'm getting stuck with this problems:
How to send an email via Self Service to the specified person or group and how get the feedback back to the local computer?
Sounds simple, but is quite difficult...
Thanks guys! :)
