- Jamf Nation Community
- Products
- Jamf Pro
- Can I grant admin rights to a user if the username...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Can I grant admin rights to a user if the username logging in matches the JSS?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-01-2015 07:50 AM
Is there anyway (a script maybe?) to pull the username from the JSS so that I can compare the results with the current logged in user?
I am looking to ensure that the only users who have admin rights on a machine are those who have been assigned to the machine in the JSS. For us, this would prevent the machine from being passed around without our knowledge and it would help prevent a user from having admin rights on any machine they log into (which they currently can do....terrible practice... I know).
Thanks in advance.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-01-2015 08:46 AM
Yes, with the API.
You'd need to create a script that would run at login to pull a basic subset of the computer account from your JSS using API calls, and locate the assigned user to the Mac as the JSS knows it, assuming this is all being done ahead of time (assigning users) I assume it is or you probably wouldn't be asking if it was possible to do this.
Once you have that information, you can compare it to the user that just logged in and determine if they are a match, then run something like:
dseditgroup -o edit -a username -t user adminto add them into the local admin group.
On a side note, if you're using directory service accounts, it could be as simple as making sure the proper directory group or groups are assigned to have admin rights when signed in on the computer. I'm assuming you use local only accounts here though. Correct me if I'm wrong.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-02-2015 03:29 PM
The script below should give you a good starting point. Just plug your JSS URL and API user credentials into the apiQuery function.
#!/bin/bash
# Set field seperator to newline
IFS=$'
'
# Function for querying the JSS API
# Parameters:
# (1) URL Suffix for the page that needs to be queried.
# (2) Value that you are searching for within the JSS API.
apiQuery() {
# Set the URL for the JSS web console. Example: jssURL="https://mycompany.mydomain.com:8443"
jssURL=""
# Set JSS API username. Example: jssUser="CasperAPI"
jssUser=""
# Set JSS API password. Example: jssPW="password"
jssPW=""
# If requesting JSON response
if [ "$1" == "json" ]; then
# Get data from JSS and return the JSON response. Add the "-k" switch to the "curl" command if SSL Cert is not trusted.
curl "$jssURL/JSSResource/$2" -H 'Accept: application/json' --user "$jssUser:$jssPW" --silent | python -m json.tool
# If not requesting the JSON response
else
# Get data from JSS and return the XML response. Add the "-k" switch to the "curl" command if SSL Cert is not trusted.
curl "$jssURL/JSSResource/$1" --user "$jssUser:$jssPW" --silent | awk -F "<$2>|</$2>" '{ print $2 }'
fi
}
# Set default value for return code (0 - Success)
lRet=0
# Get hardware UUID/UDID of system
hwUDID=`system_profiler SPHardwareDataType | awk '/UUID/{ print $NF }'`
# Output information
echo "Hardware UDID: $hwUDID"
# Get assigned user ID of computer from JSS
assignedUser=`apiQuery "computers/udid/$hwUDID/subset/location" username`
# Output information
echo "JSS Assigned User: $assignedUser"
# Get management account of computer from JSS
mgmtUser=`apiQuery "computers/udid/$hwUDID/subset/general" management_username`
# Output information
echo "Management User: $mgmtUser"
# Get current admins
currentAdmins=(`dscl . -read /Groups/admin GroupMembership | sed -e 's/.*: //g'`)
# Output information
echo "Current admins: ${currentAdmins[@]}"
# Output information
echo "Ensuring that the assigned user ($assignedUser) is an administrator on this machine..."
# Check if user is an admin
adminCheck=`echo ${currentAdmins[@]} | grep -w "$assignedUser"`
# If user is already an admin
if [ "$adminCheck" != "" ]; then
# Output information
echo "The assigned user ($assignedUser) is already an administrator."
# If user is not already an admin
else
# Output information
echo "The assigned user ($assignedUser) is not already an administrator. Adding the user to the admin group..."
# Add user to admin group
dseditgroup -o edit -a "$assignedUser" -t user admin
# Get return code of last command
lRet=$?
# Check if user is an admin
adminCheck=`dscl . -read /Groups/admin GroupMembership | grep -iw "$assignedUser"`
# If user is an admin
if [ "$adminCheck" != "" ]; then
# Output information
echo "The assigned user ($assignedUser) was successfully added to the administrator group."
# If user is not an admin
else
# Output information
echo "The assigned user ($assignedUser) failed to be added to the administrator group. Return code: $lRet."
fi
fi
# Output information
echo "Checking for unapproved administrators..."
# Get current admins
extraAdmins=(`dscl . -read /Groups/admin GroupMembership | sed -e 's/.*: //g' | awk -v RS=" " '{ print $0 }' | grep -vw -e "root" -e "$mgmtUser" -e "$assignedUser"`)
# If unapproved admins were found
if [ ${#extraAdmins[@]} -gt 0 ]; then
# Output information
echo "${#extraAdmins[@]} unapproved administrator(s) will be removed from the administrator group..."
# For each user in the admin group
for extraAdmin in ${extraAdmins[@]}; do
# Output information
echo "Removing $extraAdmin from the administrator group..."
# Remove user from group
dseditgroup -o edit -d "$extraAdmin" -t user admin
# Get return code
lRet=$?
# Check if user is an admin
adminCheck=`dscl . -read /Groups/admin GroupMembership | grep -w "$extraAdmin"`
# If user is not an admin
if [ "$adminCheck" == "" ]; then
# Output information
echo "The unapproved administrator ($extraAdmin) was successfully removed from the administrator group."
# If user is an admin
else
# Output information
echo "The unapproved administrator ($extraAdmin) failed to be removed from the administrator group. Return code: $lRet."
fi
done
# If unapproved admin were not found
else
# Output information
echo "No unapproved administrators were detected."
fi
# Output information
echo "Closing script..."
# Exit script
exit $lRetI hope this helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-01-2016 06:40 PM
I know a lot of time has passed since this posting, but why wouldn't you just scope your policy correctly?
Here is a 3 line temporary solution:
if ! launchctl list|grep -q com.apple.atrun; then launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist; fi
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
echo dseditgroup -o edit -d $USERNAME -t user admin|at now +10 minutes &>/dev/nullHow does account sharing NOT break the original post request? I think the original post is moot and temporary rights are better. To that end, I'd like to be able to capture what wast done during the elevated rights session in its entirety, and call it a day.
