Hello, my company is planning to demote our admin users to standard users. I've found a way for them to run sudo commands without admin, but I need a way for them to update third party apps without administrator credentials.
The only thing that I could come up with is a script that allows me to plug in an app name as a parameter, then moves it to /Users/$3/Applications.
I've also look it into the make me admin app, but my SecOps teams doesn't want anyone to have admin rights.
Do these actually have to be updated by the user directly? Or can they be something put into Self Service like patches? Because being able to install updates is one of the reasons why you would use Self Service. It doesn't require that anyone be a local admin since it handles all the admin authentication stuff in the background.
If you're not using Self Service and you are planning on demoting users from admin to standard, I would highly recommend looking at making use of it.
Hey @PayFit, I spoke to macmule about this a couple of months ago on Slack. he suggested using jamJar. Unfortunately, I don't have the time to configure Munki. My team is now looking into using Cyberark EPM to manage application permissions. So far, it seems to be what we need.
jamJar also looks promising as well. If you have the time to configure it. Here the link to the Github overview: https://github.com/dataJAR/jamJAR/wiki
Hello, I have the same issue. We are using only Intune to manage our devices. Minor software updates seems to work, and we are forcing our users to do it with the Nudge Tool. For Major Upgrades 11.x to 12.x this is not working because the standard User needs the right to change the Startup volume for example. Currently, I am testing a script which will guide the user with some alerts and a step-by-step guide through the Upgrade process, at the important moment the user will be upgraded to an admin and can start the process. After some seconds, the user will be demoted again. The script is not yet working, and a big problem is also to make sure the user has the latest installer on the computer. Therefore, I am using gibMacOS to download the latest OS Installer first. Once the script is working, I will share it.