Jamf Nation Community

This looks interesting. I will check it out. I really wanted to do this myself. When I get this working as intended, I will happily share it with others. This one feature is the last thing I wanted to add to my script before I make it live.

I would absolutely LOVE it if my company would get on board with Jamf Protect, but I don't get to make that decision. I really appreciate the suggestions. Everyone here has always been very generous with their time and their knowledge. One thing I tried was to run the command to show all of the admin users before the user is promoted to admin. I had the output written to a text file. After the user is demoted back to standard, the command would run again, and create a new text file. The script would look for differences between the two text files and output the result that could be used to demote any new user to standard. If no new users were created no action would be taken. I actually had a version of this working before I got interrupted by a meeting!!!! I'm pretty good with scripts but I like to try new things to improve my skills. This project will help me do that and give me a new script to use in Jamf Pro.

This is the current version of the script without the check for new admin users created. It has worked several times for me without issue.

#!/bin/zsh

# Timer setting
tempSeconds="$4"

# Who is the current logged in user?
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

# Jamf Helper path
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

# Check if the user is already an admin.
isAdmin=$(dseditgroup -o checkmember -m "$currentUser" admin | awk '{print $1}')
echo "Is "$currentUser" an admin? "$isAdmin"."
# If the user is already admin, display a message.
if [ "$isAdmin" = "yes" ]; then
echo "$currentUser is already an Admin"
	"$jamfHelper" -windowType utility \
	-windowPosition ur \
	-title "YOUR TITLE HERE" \
	-heading "You are already an admin user" \
	-alignHeading middle \
	-description "You are already an admin user. If you are experiencing trouble please contact support." \
	-alignDescription natural \
	-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \
	-iconSize 36 \
	-button1 "OK" \
	-defaultButton 1
else

# Elevating user to admin.
echo ""$currentUser" is not an admin user"
echo "Elevating "$currentUser" to admin"
/usr/sbin/dseditgroup -o edit -a "$currentUser" -t user admin

# Display a window showing how much time is left as an admin using Jamf Helper.	
echo "Displaying Jamf Helper window with timer."
	"$jamfHelper" -windowType utility \
		-windowPosition ur \
		-title "YOUR TITLE HERE" \
		-heading "Temporary Admin Rights Granted" \
		-alignHeading middle \
		-description "Please perform your required tasks. Admin rights will be removed when the timer below ends." \
		-alignDescription natural \
		-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \
		-iconSize 36 \
		-button1 "Done" \
		-defaultButton 1 \
		-timeout "$tempSeconds" \
		-countdown \
		-countdownPrompt "Admin rights will be removed in " \
		-alignCountdown center
		# Removing admin rights.
		echo "Timer has ran out. Removing admin rights and running recon"
		/usr/sbin/dseditgroup -o edit -d "$currentUser" -t user admin
		/usr/local/jamf/bin/jamf recon

fi

exit 0

Great idea! I have done that in the past actually. My only worry is that you can create users from Terminal.