By and large all users get admin access to our Macs when the device is deployed to them. I am trying to sort out a way to give our IT staff admin access without having to use JAMF shenanigans whenever they need to do something with a Mac. We have a Mac_Workstations_Administrators group that has admin access in directory utility that works fine for the GUI. I am wondering if that same group can be given SUDO Access for CLI stuff. Anyone have any musings in this area they could share?
If I can get sudo sorted out I plan on trying to tackle SSH access the same way. Giving Mac_Workstations_Administrators SSH access and hopefully that is inherited by the users in the group. One step at a time :)
In out environment our Macs are domain bound and we use mobile accounts, this will not change anytime soon as its a security policy.
Been a while, but I seem to remember that sudo would work for those that had admin via the Directory Utility admins addition. With the caveat that you had to be able to reach AD at the time of authentication. So it wouldn't apply if the user was remote.
I am sure some of what I am seeing is MacOS not being happy with mobile accounts, this entire function of macOS is under developed. Looks like It need to add the AD group to /etc/sudoers, or better yet /etc/sudoers.d so it survives system upgrades and is not directly messing with such a critical file. Still sorting things out, I will share if I run across anything really useful or crack this egg.
@AJPinto Any luck on figuring this out? Prior to upgrading to Big Sur we were able to use the Directory Utility to define AD groups that should have admin privileges. This allowed users in these groups to be admins in the GUI as well as allowed them to sudo. Now, users still have admin privileges in the GUI but cannot sudo. We have used dscl to confirm that the groups have admin privileges and the users are admin privileges. We can manually add a user to the sudoer file which allows them to use sudo.