Issue with geekquixotic's MakeMeAnAdmin Script

CJohnson1788
New Contributor

Hello,

Before the release of Monterey, I was experimenting with krypted's MakeMeAnAdmin script. After the release of Monterey, I started noticing issues with the script, especially when executed on Apple Silicon Macs. Then, I discovered geekquixotic's MakeMeAnAdmin Script. The script seems to work very well for elevation and removal of privileges, but I'm having some trouble getting the logging and the group removal feature working. I'm hoping someone else uses this variation of MakeMeAnAdmin and can help me figure out what I might be doing wrong.

I've set Parameter 6 to an authorization request header that I generated using DebugBear's basic auth header generator. The Jamf Account I'm using currently has full admin privileges for testing purposes. If the username was Cowboy and the password was Mustang1234, the value I'm putting in Parameter 6 would be the following (not the actual username and password for obvious reasons):

Q293Ym95Ok11c3RhbmcxMjM0

One thing to note is that our JSS uses single sign-on with Azure, and the account I'm using is a standard, non-LDAP account.

I have Parameter 7 set to Y, and Parameter 8 is the name of the static group.

 

Any help would be greatly appreciated. Please let me know if I can provide more details on how I have the script or policy configured in JSS.

3 REPLIES 3

Tangentism
Contributor II

I see the script hasnt been updated for 4 years. Have you considered using the 'Privileges.app' instead?

CJohnson1788
New Contributor

Thank you for the suggestion. Privileges wouldn't be a good option in our case because admin access on all of our endpoints has to be approved by IT. For Windows devices, we use LAPS.

krypted's script is very old, and I suspect the author has moved on to bigger and better things. The one I'm using, geekguixotic's, was last updated 11 months ago. I also posted on the Github Issues page hoping to get the author's attention, but haven't had any luck yet. The script by geekguixotic would also handle logging and privilege removal better than the older script - at least in my case - but that's the part I sadly can't seem to get working.

CJohnson1788
New Contributor

A quick update, I was able to get the group removal portion of the script working. I created a new API user 'hash' using a different BASE64 encoder. I tested the script, and the machine was removed from the static group in JSS. The logging still doesn't appear to be working. I believe the log is supposed to be uploaded to the Attachments payload of the computer record, but nothing is being uploaded. The user account I'm specifying in the script still has full admin rights. I found a blog post on The Geeky Gordo and tried to verify that the script doesn't need any changes, but my lack of scripting experience has me pretty stumped. Any assistance would be humbly appreciated.