Automatic updates & Standard Users

bwoods
Valued Contributor

Hello, my company is planning to demote our admin users to standard users. I've found a way for them to run sudo commands without admin, but I need a way for them to update third party apps without administrator credentials.

The only thing that I could come up with is a script that allows me to plug in an app name as a parameter, then moves it to /Users/$3/Applications.

I've also look it into the make me admin app, but my SecOps teams doesn't want anyone to have admin rights.

8 REPLIES 8

mm2270
Legendary Contributor III

Do these actually have to be updated by the user directly? Or can they be something put into Self Service like patches? Because being able to install updates is one of the reasons why you would use Self Service. It doesn't require that anyone be a local admin since it handles all the admin authentication stuff in the background.
If you're not using Self Service and you are planning on demoting users from admin to standard, I would highly recommend looking at making use of it.

jhuls
Contributor III

What mm2270 said.

I'm curious about this being able to run sudo without admin. Can you elaborate on that?

bwoods
Valued Contributor

@jhuls you can allow standard users to run sudo commands by adding them to the sudoers.d folder. You can also limit the commands that they can run.

ThierryD
New Contributor III

@bwoods I'm interested about the solution i've came up to allow automatic updates for standard users.

ThierryD
New Contributor III

@bwoods Did you came up with a working solution regarding standard users & updates ?

bwoods
Valued Contributor

Hey @PayFit, I spoke to macmule about this a couple of months ago on Slack. he suggested using jamJar. Unfortunately, I don't have the time to configure Munki. My team is now looking into using Cyberark EPM to manage application permissions. So far, it seems to be what we need.

jamJar also looks promising as well. If you have the time to configure it. Here the link to the Github overview: https://github.com/dataJAR/jamJAR/wiki

user-kMDjUsheqD
New Contributor

interested

jmacbrown
New Contributor

Hello, I have the same issue. We are using only Intune to manage our devices. Minor software updates seems to work, and we are forcing our users to do it with the Nudge Tool. For Major Upgrades 11.x to 12.x this is not working because the standard User needs the right to change the Startup volume for example. Currently, I am testing a script which will guide the user with some alerts and a step-by-step guide through the Upgrade process, at the important moment the user will be upgraded to an admin and can start the process. After some seconds, the user will be demoted again. The script is not yet working, and a big problem is also to make sure the user has the latest installer on the computer. Therefore, I am using gibMacOS to download the latest OS Installer first. Once the script is working, I will share it.

Problems:

  • I am not certain how long admin rights are needed during the running of the Monterey Installer.