Help

Extension Attritute: Checking for local user account level - not working

Go to solution
SV_JamfTech
New Contributor II

Posted on ‎02-20-2024 01:43 PM

Hello Jamf Community! 

I'm making an extension attribute that basically tracks if a local user is at the Standard level or Admin level. I've ran the script in 2 test macs in our environment where one Mac is a Standard account and the other is an Admin account. For whatever reason, the extension attribute will always resort to "Admin" as the result. I've tried several things to trouble shoot this. Here's what I've done. 

 

  • Originally the elif statement was an else statement 
  • I've switched the if statements where it would be != 'Yes', is_admin would be No. and vice versa. 
  • I've ensured these script worked by running the script in terminal for both test macs, and they should work. 

 

Not too sure what is going on and I'm thinking it's just my jamf environment now. Does anybody have suggestions on what might be going on? 

 

#!/bin/bash

result=''
# Get the current logged-in user
current_user=$(whoami)

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

 

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎02-20-2024 02:13 PM

The jamf binary runs as root, so you are essentially checking if the root user is an admin. Instead of using 'whoami' to get the current user, you need to do it differently. This should work:

#!/bin/bash

current_user=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

View solution in original post

Reply

Go to solution
AntMac
Contributor II

‎02-20-2024 02:36 PM - edited ‎02-20-2024 02:38 PM

Edit: sorry I had this in draft as I was doublechecking. Essentially the same as the other answer. 
Maybe changing the line to determine current logged on might work a little better? Seems to work fine in my environment with this changed but your mileage may vary. 

 

#!/bin/bash

result=''
# Get the current logged-in user
current_user=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

 

 

View solution in original post

Reply
3 REPLIES 3

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎02-20-2024 02:13 PM

The jamf binary runs as root, so you are essentially checking if the root user is an admin. Instead of using 'whoami' to get the current user, you need to do it differently. This should work:

#!/bin/bash

current_user=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"
Reply

Go to solution
AntMac
Contributor II

‎02-20-2024 02:36 PM - edited ‎02-20-2024 02:38 PM

Edit: sorry I had this in draft as I was doublechecking. Essentially the same as the other answer. 
Maybe changing the line to determine current logged on might work a little better? Seems to work fine in my environment with this changed but your mileage may vary. 

 

#!/bin/bash

result=''
# Get the current logged-in user
current_user=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

 

 

Reply

Go to solution
SV_JamfTech
New Contributor II

Posted on ‎02-20-2024 03:32 PM

Looks like both recommendations seem to have fixed the issue! Thank you @stevewood and @AntMac !!

0 Kudos
Reply