Posted on 07-26-2023 08:37 AM - last edited on 09-07-2023 07:23 AM by JoeyD
I am in the process of writing a new "make me an admin" script. I know there are others that are available but I wanted to do this myself. Yesterday, I got a version of the script working. It promotes the user to admin, then launches Jamf Helper with a countdown. When the countdown is finished, it reverts the user back to a standard account. That part works perfectly. The next step is to add a function to check if the user is already an admin user. That's where I'm having trouble. If I run this part of the script through CodeRunner, it displays the Jamf Helper with a "Done" button. Obviously, the variables defined are working. My Jamf Helper syntax is correct. The if statement that contains the Jamf Helper configuration works. What will be added later is an "else" to elevate the standard user to admin, then launch Jamf Helper with a countdown. When I have these two steps working, I will go back and add in the ability to demote any additional admin accounts that the user may have added while elevated to an admin user. Jamf Pro keeps reporting an issue on line 20, which is the line where the script checks if the user is an admin user:
if [ "$isAdmin" == "yes" ]; then
It shows "not found". My assumption was that the variable "isAdmin" was not correctly defined. If that was so, then why does CodeRunner run this line without an issue? I am testing in CodeRunner while logged in as an admin user, so what happens is that I see the Jamf Helper window appear telling me that I am already and admin. Only when I test this script in Jamf Pro using a Self Service policy that runs the script do I see this error. I'm including a screenshot. I am only running this portion of the script. The user account on the test Mac is a standard user account. Therefore, the Jamf Helper window should not appear. I added an else to echo that the user is a standard user so I would see that in the Jamf policy log if the script worked. What am I doing wrong that CodeRunner isn't picking up? CodeRunner always finds my syntax errors. Here's the portion of my script that I am testing with.
#!/bin/zsh
# Timer setting
tempSeconds=60
# Who is the current logged in user?
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
# List current admin users
adminMembers=($(dscacheutil -q group -a name admin | grep -e '^users:' | sed -e 's/users: //' -e 's/ $//'))
#Jamf Helper path
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# Check if the user is already an admin.
isAdmin=$(dseditgroup -o checkmember -m $currentUser admin | awk '{print $1}')
echo $isAdmin
# If the user is already admin, display a message.
if [ "$isAdmin" == "yes" ]; then
echo "$currentUser is already an Admin"
"$jamfHelper" -windowType utility \
-windowPosition ur \
-title "Your company name here" \
-heading "You are already an admin user" \
-alignHeading middle \
-description "You are already an admin user. If you are experiencing trouble please contact support." \
-alignDescription natural \
-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \
-iconSize 36 \
-button1 "Done" \
-defaultButton 1
else
echo "User is a standard user."
fi
Solved! Go to Solution.
Posted on 07-26-2023 08:41 AM
It's a zsh script, so it should be
if [ "$isAdmin" = "yes" ]; then
Only a single = mark, not a double. Bash uses double, but zsh does not when talking about tests like that. It's one of the things I needed to adjust myself when I began to switch over to Z Shell scripts.
Posted on 07-26-2023 08:41 AM
It's a zsh script, so it should be
if [ "$isAdmin" = "yes" ]; then
Only a single = mark, not a double. Bash uses double, but zsh does not when talking about tests like that. It's one of the things I needed to adjust myself when I began to switch over to Z Shell scripts.
Posted on 07-26-2023 09:25 AM
THANK YOU!!!!
This was driving me nucking futs! I need to look up all of the other things that I may need to change if I use zsh in scripts. I tested the script just now with the change you suggested and Jamf Pro reports exactly as it should have. I use "echo" statements a lot to help track if all of the steps of a script are completing. I will continue on with my progress getting this script written and share it once I have it working fully.
Posted on 07-26-2023 11:09 AM
Here's the full script. This works perfectly now. I like to add recon to the end of some of my scripts and I chose to do that in this one. Later, I will add a check for new admin accounts that the user may have created while they were an admin so that these new admin accounts can be demoted to standard or deleted. I have tested this over and over again and it works every time. Use parameter 4 to define the time in seconds that the user will have as an admin.
#!/bin/zsh
# Timer setting
tempSeconds="$4"
# Who is the current logged in user?
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
# Jamf Helper path
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# Check if the user is already an admin.
isAdmin=$(dseditgroup -o checkmember -m "$currentUser" admin | awk '{print $1}')
echo "Is "$currentUser" an admin? "$isAdmin"."
# If the user is already admin, display a message.
if [ "$isAdmin" = "yes" ]; then
echo "$currentUser is already an Admin"
"$jamfHelper" -windowType utility \
-windowPosition ur \
-title "YOUR TITLE HERE" \
-heading "You are already an admin user" \
-alignHeading middle \
-description "You are already an admin user. If you are experiencing trouble please contact support." \
-alignDescription natural \
-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \
-iconSize 36 \
-button1 "OK" \
-defaultButton 1
else
# Elevating user to admin.
echo ""$currentUser" is not an admin user"
echo "Elevating "$currentUser" to admin"
/usr/sbin/dseditgroup -o edit -a "$currentUser" -t user admin
# Display a window showing how much time is left as an admin using Jamf Helper.
echo "Displaying Jamf Helper window with timer."
"$jamfHelper" -windowType utility \
-windowPosition ur \
-title "YOUR TITLE HERE" \
-heading "Temporary Admin Rights Granted" \
-alignHeading middle \
-description "Please perform your required tasks. Admin rights will be removed when the timer below ends." \
-alignDescription natural \
-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \
-iconSize 36 \
-button1 "Done" \
-defaultButton 1 \
-timeout "$tempSeconds" \
-countdown \
-countdownPrompt "Admin rights will be removed in " \
-alignCountdown center
# Removing admin rights.
echo "Timer has ran out. Removing admin rights and running recon"
/usr/sbin/dseditgroup -o edit -d "$currentUser" -t user admin
/usr/local/jamf/bin/jamf recon
fi
exit 0