Jamf Nation Community

We use Privileges, works well:

https://github.com/SAP/macOS-enterprise-privileges

@sara_mccullar  You can try this. It's really dumb though. Just put it in Self Service.

#!/bin/bash

# Make Me Admin
# Brandon Woods
# January 2023
# A really dumb version of "Make Me Admin" written in 7 mintues. Whavever, it works, I guess.

# Determine Current User
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )


# Promote user to admin
sudo dseditgroup -o edit -a "$currentUser" -t user admin

# Sleep for 30 minutes (I think that's 30 minutes in seconds, whatever)
sleep 1800

# Demote user to standard
sudo dseditgroup -o edit -d "$currentUser" -t user admin

exit 0		## Success
exit 1		## Failure

@sara_mccullar what is the goal of the admin role? 

If your goal is to automate the updates of macOS computers with standard user accounts in your fleet to Ventura (or from macOS 13.0 - 13.2) by making them admins for 30min then there are better ways to do this IMO. 

My recommendation is to use a combination of tools;

1. Nudge

a. Link to the film which shows my configuration 

2. erase-install

b. Link to film which shows my configuration for this tool

c. Link to a film that shows how I combine these configurations. 

Hope that helps! 

So here is the thing with Privileges, yes it allows the user to become an admin. I can only get the time limit to set if I use the toggle feature when you right click on the dock icon.  Now most of our users are not going to do that. They will just click the dock icon and hit request privileges. I do believe that after maybe 48 hours (honestly wasn't keeping track for that long period) it did revert the user account back to a standard account.  

Now I know there is the Privileges Demoter. All that does is give a pop up reminder to extend or remove the admin privilege.  We have had people who could ignore the old nudge (pre big sur) and never run the updates.. Those people are most likely not going to be ones needing admin rights, but I want something that will take away those rights in 30 minutes.

So unless someone knows how to get the privileges dock icon to open to toggle which activates the timer, it's not going to work for me.

I'm a bit late to this party, but I'm looking to do exactly the same thing (with making the default time 15 minutes instead of 30).

Looking at Privileges, it does seem to come with a CLI, where you can run commands as a standard user to add or remove elevation. I think in theory you could create a LaunchAgent that runs every 30 minutes that will run the CLI option to remove the admin rights (scroll down to "How do I use Privileges.app in a script or from the command line?") :

https://github.com/SAP/macOS-enterprise-privileges/wiki/Frequently-Asked-Questions#how-do-i-use-priv...

The specific command to remove the admin permissions for the currently logged in user:

/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove

 I'll be giving this a try and will let you know how it goes.

Hi @rcoleman check out the blog post from Rich Trouton regarding the behavior:

https://derflounder.wordpress.com/2022/07/22/privileges-app-and-time-limited-admin/
And the demoter github project:
https://github.com/sgmills/PrivilegesDemoter

Hope this helps :)

Many thanks @pkleiber. I had already seen these posts. Problem with Demotor is that it 'requests' if you want to remove the rights. I don't want to give the users that option, I just want to remove them :)

I've created a LaunchDaemon which on the face of it appears to work. I've had to use a LaunchDaemon over an agent for a few reasons, but mainly so that I can run the script as root to obtain the following:

• Interrogating the syslog so that I can obtain the last time the permissions were elevated for the current user.
• Removing the permissions even if no one is logged in.

One issue is that the Privileges CLI only works when run under a user context, so I've had to use 'sudo -u' when wanting to run these commands to run as another user.

I've not tested this thoroughly, but it appears to work. For my own settings, I've set the Daemon to run every 3 minutes, so it has the potential to go over the 15 minutes which we want to adhere to, but that's not a big issue. The Daemon runs the script below. Obviously, Privileges needs to already be installed:

#!/bin/bash

# Function for creating timestamp for logging purposes
timestamp() {
	while read -r line
	do
        time_stamp=$(date)
        /bin/echo "[$time_stamp] $line"
	done
}

########## JUST EDIT THESE VALUES ##################
###########################################################
# The allowed time in seconds - used for working out the time difference
ALLOWED_TIME_SECONDS=900
# The allowed time in minutes - used for better readability within the output / log
ALLOWED_TIME_MINUTES=$((ALLOWED_TIME_SECONDS/60))
# Location of custom log
LOGFILE="/Library/Logs/privileges-daemon.log"
###########################################################

# Check to see if log exists. If so then delete as we only require a log of the last run
if [ -f "$LOGFILE" ]
then
    rm -f "$LOGFILE"
fi

# See if we have a user logged in
CURRENT_USER=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }')

# If no user logged in, then see who the last logged in user was and set this to the current user
if [ -z "$CURRENT_USER" ]; then
	/bin/echo "No user currently logged in. Getting last logged in user..." | timestamp 2>&1 | tee -a "$LOGFILE"
	# Get the last logged in username
	CURRENT_USER=$(last grep console | cut -d " " -f1 | head -n 1)
	/bin/echo "Last logged in user was $CURRENT_USER" | timestamp 2>&1 | tee -a "$LOGFILE"
else
	/bin/echo "$CURRENT_USER is currently logged in." | timestamp 2>&1 | tee -a "$LOGFILE"
fi

# Make sure Privileges is installed
PRIVILEGES_CLI="/Applications/Privileges.app/Contents/Resources/PrivilegesCLI"
if [ ! -f "$PRIVILEGES_CLI" ]; then
    /bin/echo 'Privileges does not appear to be installed! Quitting script.' | timestamp 2>&1 | tee -a "$LOGFILE"
	exit 1;
fi

# Get the currently logged in users account status. Need to re-direct all output in order to capture
STATUS=$(sudo -u "$CURRENT_USER" "$PRIVILEGES_CLI" --status 2>&1)

if [[ "$STATUS" == *"standard"* ]]; then
	/bin/echo "$CURRENT_USER does not appear to be an admin. Quitting script." | timestamp 2>&1 | tee -a "$LOGFILE"
	exit 0;
elif [[ "$STATUS" == *"admin"* ]]; then
	/bin/echo "$CURRENT_USER appears to be an admin." | timestamp 2>&1 | tee -a "$LOGFILE"
	# Get the last time the 'current user' elevated their permissions
	LAST_ADMIN_ENTRY=$(log show --style syslog --predicate 'process == "corp.sap.privileges.helper" && eventMessage CONTAINS "SAPCorp"' | grep "$CURRENT_USER" | grep admin | tail -n 1 | cut -d. -f1)
	# If it's null then there's been an issue with reading the log file, or since script has begun executing admin privileges may have been revoked. Just quit.
	if [ -z "$LAST_ADMIN_ENTRY" ]; then
		/bin/echo "Cannot obtain time stamp from the last time permissions were elevated. It's possible that user permissions have reverted to 'standard' since this script started executing. Please manually check permissions. Quitting."
		exit 1;
	else
		# Get current date and time
		NOW_EPOCH=$(date -j -f "%Y-%m-%d %H:%M:%S" "$(date +"%Y-%m-%d %H:%M:%S")" +"%s")
		# Convert the last executed time to epoch
		LAST_ADMIN_ENTRY_EPOCH=$(date -j -f "%Y-%m-%d %H:%M:%S" "$LAST_ADMIN_ENTRY" +%s)
		# Get the difference in the time
		DIFFERENCE_IN_SECONDS=$((NOW_EPOCH-LAST_ADMIN_ENTRY_EPOCH))
		# For log readability, convert difference to minutes
		DIFFERENCE_IN_MINUTES=$((DIFFERENCE_IN_SECONDS/60))
		# If it's longer than the allowed time then remove the rights
		if [ "$DIFFERENCE_IN_SECONDS" -gt "$ALLOWED_TIME_SECONDS" ]; then
			/bin/echo "$CURRENT_USER has been an admin for over $ALLOWED_TIME_MINUTES minutes. Amount of time since activated - $DIFFERENCE_IN_MINUTES minutes. Removing permissions..." | timestamp 2>&1 | tee -a "$LOGFILE"
			sudo -u "$CURRENT_USER" "$PRIVILEGES_CLI" --remove
			# Get the status again so we can make sure permissions have been removed
			STATUS=$(sudo -u "$CURRENT_USER" "$PRIVILEGES_CLI" --status 2>&1)
			if [[ "$STATUS" == *"standard"* ]]; then
				/bin/echo "$CURRENT_USER successfully set to standard permissions." | timestamp 2>&1 | tee -a "$LOGFILE"
				exit 0;
			else
				/bin/echo "There has been an issue revoking admin permissions for $CURRENT_USER. Please manually check to make sure permissions have been revoked." | timestamp 2>&1 | tee -a "$LOGFILE"
				exit 1;
			fi
		else
			/bin/echo "Permissions have been elevated but still within the 15 minute window. Amount of time since activated - $DIFFERENCE_IN_MINUTES minutes. Quitting script." | timestamp 2>&1 | tee -a "$LOGFILE"
			exit 0;
		fi
	fi	
else
	/bin/echo "There has been a problem obtaining the status of $CURRENT_USER's account. No changes have occurred."  | timestamp 2>&1 | tee -a "$LOGFILE"
	exit 1;
fi