- Jamf Nation Community
- Products
- Jamf Pro
- Re: Make Me an Admin
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2022 10:42 AM
I am using the Make Me an Admin : https://github.com/jamf/MakeMeAnAdmin
I'm having 3 questions/concerns:
• It is not reliably creating a log?
• Is there a way to get the log to me or at least a notification that the policy was run?
• Is there a way to block them from creating additional admin accounts while they are an admin?
Thanks!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2022 11:31 AM
Hello @user-voiZiJyJvM
We have been using https://github.com/kc9wwh/MakeMeAdminPy
this is the python version and has ways to create logs. it also has a way for it when they create an admin account it will strip the admin rights and notify you if they did. We have had some success with this one. Just beware that python will not be standard in upcoming Monterey version.
Reply
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2022 11:31 AM
Hello @user-voiZiJyJvM
We have been using https://github.com/kc9wwh/MakeMeAdminPy
this is the python version and has ways to create logs. it also has a way for it when they create an admin account it will strip the admin rights and notify you if they did. We have had some success with this one. Just beware that python will not be standard in upcoming Monterey version.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2022 12:27 PM
That looks great, I will have to test it out after installing python as all of our new Macs will be on Monterey. Maybe I need to read further into it but how does one go about getting the log off of the user's computer. Do you use a method other than in person or maybe you don't look at logs beyond the device reporting if additional admins were created? Now that I type this there probably isn't any other info I would need? Is there anything you like to check?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2022 12:34 PM
So our info sec team didn't really care what they did on there machine, but cared more if they created additional admin accounts and if they change the local admin password which this also takes care of. If they mess up there machine they are aware that we won't trouble shoot it and will re-provision them. This does run as a policy and will log in Jamf how many times they run this if that helps. You may be able to change the python scripts to add a log file for you but that is beyond me lol.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-03-2022 09:59 AM
I have it updating permissions but I am getting an error checking the Org user password. It seems like it is not able to decrypt. Perhaps I am missing something on the device? From what I am reading I might need to update OpenSSL? Have you run into this error/any thoughts?
Script result: bad decrypt
4746327724:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/System/Volumes/Data/SWE/macOS/BuildRoots/5b2e67f8af/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75.60.3/libressl-2.8/crypto/evp/evp_enc.c:521: <dscl_cmd> DS Error: -14090 (eDSAuthFailed) Authentication for node /Local/Default failed. (-14090, eDSAuthFailed) Permission denied. Please enter user's old password:<dscl_cmd> DS Error: -14090 (eDSAuthFailed) passwd: DS error: eDSAuthFailed
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2022 12:48 PM
Makes sense. I think them not being able to make an admin account is going to be enough for me too!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-03-2022 05:07 PM
I've been trying to get this to work with little to no success and work with macAdmins Python. We get a few errors and have been trying to patch it up, but it seems to worsen.
Script result: Creating LaunchDaemon...
Traceback (most recent call last):
File "/Library/Application Support/JAMF/tmp/macOS - Grant Temp Admin", line 93, in <module>
plistlib.writePlist (launchDaemon, '/Library/LaunchDaemons/' + launchdFile)
AttributeError: module 'plistlib' has no attribute 'writePlist'We're getting this latest error, but we can't figure out what's causing the issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-04-2022 06:23 AM
@daniel_ross If you are using python 3 plistlib.writePlist has been deprecated: https://documentation.help/Python-3.7/plistlib.html we made a custom framework for Python 2 temporary to have it working while we wait to it is ready for python 3.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-16-2022 10:22 PM
We ended up working with some fellow admins looking to do the same and also monitor for any admin accounts made during the elevated time but have the ability to exclude some accounts from being demoted after the window ends. I have included what we came up with below.
#!/bin/bash
#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
else
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
fi
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
#initiate list of admins
admins=()
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
admins+=("${username}")
fi
done
#remove all admins
for admin in ${admins[@]}; do
/usr/sbin/dseditgroup -o edit -d $admin -t user admin
done
EOF
exit 0
Reply
