Jamf Nation Community

sara_mccullar · ‎01-30-2023

I am looking to see if there is anything like the Make Me an Admin script that will work in macOS Ventura. The current script does not work in Ventura. I don't get any report of errors just doesn't make the account an admin account.

I do know about Privileges. I wanted something I can control the time the account is an admin. I only want to allow the accounts be admin for 30 minutes.

sdagley · ‎01-30-2023

@sara_mccullar I don't have a recommendation to replace Make Me an Admin, but PrivilegesDemoter is a companion tool for Privileges you might want to check out. It is intended to prevent/discourage users from retaining admin rights longer than necessary.

Utilizator · ‎01-31-2023

We use Privileges, works well:

https://github.com/SAP/macOS-enterprise-privileges

bwoods · ‎01-31-2023

@sara_mccullar You can try this. It's really dumb though. Just put it in Self Service.

#!/bin/bash

# Make Me Admin
# Brandon Woods
# January 2023
# A really dumb version of "Make Me Admin" written in 7 mintues. Whavever, it works, I guess.

# Determine Current User
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )


# Promote user to admin
sudo dseditgroup -o edit -a "$currentUser" -t user admin

# Sleep for 30 minutes (I think that's 30 minutes in seconds, whatever)
sleep 1800

# Demote user to standard
sudo dseditgroup -o edit -d "$currentUser" -t user admin

exit 0		## Success
exit 1		## Failure

bcrockett · ‎01-31-2023

@sara_mccullar what is the goal of the admin role?

If your goal is to automate the updates of macOS computers with standard user accounts in your fleet to Ventura (or from macOS 13.0 - 13.2) by making them admins for 30min then there are better ways to do this IMO.

My recommendation is to use a combination of tools;

1. Nudge

a. Link to the film which shows my configuration

2. erase-install

b. Link to film which shows my configuration for this tool

c. Link to a film that shows how I combine these configurations.

Hope that helps!

sara_mccullar · ‎01-31-2023

We have some users who need admin rights periodically for the work they are doing. It's not for software updates. We want to be able to get all our users to have a standard account. Those that need to be able to be admin accounts can have that access through a self service option or app.

Utilizator · ‎02-01-2023

Have you looked at Privileges?

https://github.com/SAP/macOS-enterprise-privileges

sara_mccullar · ‎02-01-2023

Yes, I just need it to revoke the admin rights after a certain amount of time without user interaction.

bcrockett · ‎02-01-2023

Got it. My proposed solution is not going to work for you.

@Utilizator s solution is more appropriate.

https://github.com/SAP/macOS-enterprise-privileges

Best of luck!

sara_mccullar · ‎02-01-2023

So here is the thing with Privileges, yes it allows the user to become an admin. I can only get the time limit to set if I use the toggle feature when you right click on the dock icon. Now most of our users are not going to do that. They will just click the dock icon and hit request privileges. I do believe that after maybe 48 hours (honestly wasn't keeping track for that long period) it did revert the user account back to a standard account.

Now I know there is the Privileges Demoter. All that does is give a pop up reminder to extend or remove the admin privilege. We have had people who could ignore the old nudge (pre big sur) and never run the updates.. Those people are most likely not going to be ones needing admin rights, but I want something that will take away those rights in 30 minutes.

So unless someone knows how to get the privileges dock icon to open to toggle which activates the timer, it's not going to work for me.

pkleiber · ‎02-02-2023

Hi @sara_mccullar this one is a paid solution. Maybe this is interesting to you:
https://www.adminbyrequest.com/
https://www.adminbyrequest.com/docs/Mac-Client

Jamf Nation Community

Make Me an Admin for macOS Ventura