Jamf Nation Community

Hi @sdagley Thank you for the answer.
I want to create a smart group, but what I really need to know, is the current loggeduser, not all users on the mac.
Thx

@JamelB This EA will do that, but be aware the EA isn't going to update except when a recon/inventory is run, so it doesn't guarantee the user actually logged in when the Smart Group is evaluated is the one that was tested:

#!/bin/sh

loggedInUser=$(stat -f %Su /dev/console)
loggedInUserIsAdmin="No"

if id -Gn $loggedInUser | grep -q -w admin; then
    loggedInUserIsAdmin="Yes"
fi

echo "<result>$loggedInUserIsAdmin</result>"

Quick question: This is obviously a part of a larger task that you are trying to accomplish. Can you share that? This might help us guide you to a solution that fits your need.

Thank you @sdagley I will try that. I understand the recon and policy updates, no problem.
@Chris_Hafner To explain, we have an IT local admin account on the MacBooks, used by the end users to install software/run sudo commands. We want to delete this admin account when the end users are local admin, as it is ont required anymore.
I understand the process above will may not match at 100% what we want to achieve, but if it's 97-99%, it's acceptable.

@sdagley It works perfectly, thx

Can also try to use last user when the user is not logged in

#!/bin/sh

result=""
loggedInUser=$(stat -f %Su /dev/console)
macUser=""
macUserIsAdmin="No"

if [ "$loggedInUser" == "root" ] || [ "$loggedInUser" == "" ]; then
    result+="Logged-in User Not Found
"
    lastUser=$(defaults read /Library/Preferences/com.apple.loginwindow lastUserName)
    if [ $lastUser == "" ]; then
        result+="Last User Not Found"
    else
            result+="Checking Last User $lastUser...
"
            macUser=$lastUser
    fi
else
    result+="Checking Current User $currUser...
"
    macUser=$loggedInUser
fi

if ["$macUser" != ""]; then
    if id -Gn $macUser | grep -q -w admin; then
            macUserIsAdmin="Yes"
    fi
    result+="User is admin: $macUserIsAdmin"
fi

echo "<result>$result</result>"

OK, I'm, popcorning here, but how are you planning on making their account admin? I can see lots of ways to accomplish this, but some may be more elegant than others depending on this. Also, do you have FV2 to contend with? It's easy to check if a user is part of the admin group with a script. Here's a good example from @pete_c (https://www.jamf.com/jamf-nation/discussions/24797/help-with-script-to-give-local-admin-rights-to-log-in-user) near the bottom of the post. I'm throwing this one over because he uses a friendly notice from jamfHelper.

I might have a script that say, checks to see if the logged-in user is admin (at check-in) and then elevates that account and either deletes the IT account or leaves it for a later policy/process

I do have an EA that lists all admin users (Taken form somewhere here). Perhaps that would be useful for creating a smart group later?

#!/bin/bash

# Script to detect if a computer has a local admin account on it with an UID of above 500

# Initialize array

list=()


# generate user list of users with UID greater than 500

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do

# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)

    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
    # Any reported accounts are added to the array list
        list+=("${username}")
    fi
done

# Prints the array's list contents

echo "<result>${list[@]}</result>"

@Chris_Hafner , we probably don't trust the users as much as you do :-), which is why we only allow them to be a temporary admin when they need to by using MakeMeAdmin. The downside of this approach: it is delivered through self service and our Jamf Pro is not accessible from external network yet.

Quick question, are you going to recon every n minutes to make sure your EA gets updated?

@tlarkin no, recon once per day on our side, but I understand clearly what will be the behaviour
@cbd4s this is an internal choice ;), but thx for the proposal, I will chekc that also in //
@Chris_Hafner thank you, I will check if it is interesting to me. With the 1st solution, I was able to create a smart group like I wanted.

Thx all.

Hi y'all, sorry for piggybacking on this (I'll create a new thread if that's recommended).

I'm trying to merge the first script in the thread:

#!/bin/sh

loggedInUser=$(stat -f %Su /dev/console)
loggedInUserIsAdmin="No"

if id -Gn $loggedInUser | grep -q -w admin; then
    loggedInUserIsAdmin="Yes"
fi

echo "<result>$loggedInUserIsAdmin</result>"

 with this script here:

https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh

I'm employing the former script to allow users to receive 30mins temp admin and it works great, with one exception.

If the user is already an Admin, the script strips admin rights after 30mins. Most likely this won't be a problem as the script is only available when provisioned to a specific user (after request) via self service, but, I'd like to figure out how to avoid it anyway in case the user doesn't know and the tech doesn't verify. 

Essentially I'm hoping to have the script check for Admin rights and only proceed with the temp grant if the user is not an Admin.

PS I'm a total noob at scripting. Still scouring the internet for good resources, so apologies for my noobness :)