Posted on 09-16-2020 04:49 AM
Hi,
I'm having some strange issues with launch daemons/agents and need some help.
I have a script which is to be run by a launch agent/daemon but the results are mixed.
The script should do the following:
- Compares a date in a file with todays date
- If the dates match or todays date is greater then it removes local admin of the user
- Jamf notify pops up and tells the user this has happened
- log files are removed and the launch daemon/agent is removed
- finish
Running the script from a launch agent does the following:
- Compares the dates
- Does not remove admin rights
- Jamf notify tells the user that admin rights have been removed
- Doesn't clean up any files
Running the script from a launch Daemon it does the following:
- Compares the dates
- Removes local admin rights form the user
- Does not run Jamf notify to tell the user
- Does not clean up any files
The script works perfect if run from terminal or run from a jamf policy.
What am I missing?? I don't mind running this from JAMF as a check in policy but it means the users device has to check in to have the local admin rights removed.
Posted on 09-16-2020 06:38 AM
LaunchAgents run the script as the logged in user account, with those associated rights
LaunchDaemons run the script as root.
Looking at your description, Removing the admin rights is something that root would have to do.
Running as a LaunchDaemon, it isn't supposed to interact with the GUI -if I recall right. Which would explain the Notify bit not working.
Just prior to clean up, do you stop the Agent/Daemon from running, and then delete the files? At this point the script should be loaded in RAM and will complete. I have had issues in the past and binning running Daemons was problematic.
Hope this helps
Posted on 09-16-2020 08:07 PM
Have you looked at Privileges.app
Posted on 09-17-2020 01:44 AM
@PaulHazelden Thanks for this, that kinda makes sense and confirms what I thought was happening. I guess I will leave the revoke part as a Jamf check in policy as it works perfectly that way.
@tlarkin Thats a cool app will defo give it a test run. Only issue I see is that users will give themselves admin rights and then theres no way to force it off. Currently our users get a run once self service app, then once its run out they need to request it from security again.
Posted on 09-17-2020 08:32 AM
If you give any user admin, there is nothing stopping them from just unloading your launch daemons and removing them and then keeping local admin, or just run a sudo jamf removeframework
as well. At some point you might have to trust your users to do the right thing, then audit them when they don't.