Posted on 11-02-2020 12:00 PM
Hello, my company is planning to demote our admin users to standard users. I've found a way for them to run sudo commands without admin, but I need a way for them to update third party apps without administrator credentials.
The only thing that I could come up with is a script that allows me to plug in an app name as a parameter, then moves it to /Users/$3/Applications.
I've also look it into the make me admin app, but my SecOps teams doesn't want anyone to have admin rights.
Posted on 11-02-2020 12:16 PM
Do these actually have to be updated by the user directly? Or can they be something put into Self Service like patches? Because being able to install updates is one of the reasons why you would use Self Service. It doesn't require that anyone be a local admin since it handles all the admin authentication stuff in the background.
If you're not using Self Service and you are planning on demoting users from admin to standard, I would highly recommend looking at making use of it.
Posted on 11-02-2020 12:25 PM
What mm2270 said.
I'm curious about this being able to run sudo without admin. Can you elaborate on that?
Posted on 11-02-2020 12:48 PM
@jhuls you can allow standard users to run sudo commands by adding them to the sudoers.d folder. You can also limit the commands that they can run.
Posted on 12-18-2020 03:47 AM
@bwoods I'm interested about the solution i've came up to allow automatic updates for standard users.
Posted on 01-22-2021 03:41 AM
Posted on 01-22-2021 07:40 AM
Hey @PayFit, I spoke to macmule about this a couple of months ago on Slack. he suggested using jamJar. Unfortunately, I don't have the time to configure Munki. My team is now looking into using Cyberark EPM to manage application permissions. So far, it seems to be what we need.
jamJar also looks promising as well. If you have the time to configure it. Here the link to the Github overview: https://github.com/dataJAR/jamJAR/wiki
Posted on 09-17-2021 06:14 PM
Posted on 12-27-2021 08:15 AM
Hello, I have the same issue. We are using only Intune to manage our devices. Minor software updates seems to work, and we are forcing our users to do it with the Nudge Tool. For Major Upgrades 11.x to 12.x this is not working because the standard User needs the right to change the Startup volume for example. Currently, I am testing a script which will guide the user with some alerts and a step-by-step guide through the Upgrade process, at the important moment the user will be upgraded to an admin and can start the process. After some seconds, the user will be demoted again. The script is not yet working, and a big problem is also to make sure the user has the latest installer on the computer. Therefore, I am using gibMacOS to download the latest OS Installer first. Once the script is working, I will share it.