Make Me an Admin

user-voiZiJyJvM
New Contributor II

I am using the Make Me an Admin : https://github.com/jamf/MakeMeAnAdmin

 

I'm having 3 questions/concerns:

• It is not reliably creating a log?

• Is there a way to get the log to me or at least a notification that the policy was run?

• Is there a way to block them from creating additional admin accounts while they are an admin?

 

Thanks!

1 ACCEPTED SOLUTION

gabe2385
Contributor

Hello @user-voiZiJyJvM 

We have been using https://github.com/kc9wwh/MakeMeAdminPy

this is the python version and has ways to create logs. it also has a way for it when they create an admin account it will strip the admin rights and notify you if they did. We have had some success with this one. Just beware that python will not be standard in upcoming Monterey version. 

View solution in original post

8 REPLIES 8

gabe2385
Contributor

Hello @user-voiZiJyJvM 

We have been using https://github.com/kc9wwh/MakeMeAdminPy

this is the python version and has ways to create logs. it also has a way for it when they create an admin account it will strip the admin rights and notify you if they did. We have had some success with this one. Just beware that python will not be standard in upcoming Monterey version. 

That looks great, I will have to test it out after installing python as all of our new Macs will be on Monterey. Maybe I need to read further into it but how does one go about getting the log off of the user's computer. Do you use a method other than in person or maybe you don't look at logs beyond the device reporting if additional admins were created? Now that I type this there probably isn't any other info I would need? Is there anything you like to check?

So our info sec team didn't really care what they did on there machine, but cared more if they created additional admin accounts and if they change the local admin password which this also takes care of. If they mess up there machine they are aware that we won't trouble shoot it and will re-provision them. This does run as a policy and will log in Jamf how many times they run this if that helps. You may be able to change the python scripts to add a log file for you but that is beyond me lol.

I have it updating permissions but I am getting an error checking the Org user password. It seems like it is not able to decrypt. Perhaps I am missing something on the device? From what I am reading I might need to update OpenSSL? Have you run into this error/any thoughts? 

Script result: bad decrypt
4746327724:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/System/Volumes/Data/SWE/macOS/BuildRoots/5b2e67f8af/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75.60.3/libressl-2.8/crypto/evp/evp_enc.c:521: <dscl_cmd> DS Error: -14090 (eDSAuthFailed) Authentication for node /Local/Default failed. (-14090, eDSAuthFailed) Permission denied. Please enter user's old password:<dscl_cmd> DS Error: -14090 (eDSAuthFailed) passwd: DS error: eDSAuthFailed

user-voiZiJyJvM
New Contributor II

Makes sense. I think them not being able to make an admin account is going to be enough for me too!

daniel_ross
Contributor III

I've been trying to get this to work with little to no success and work with macAdmins Python.  We get a few errors and have been trying to patch it up, but it seems to worsen.

Script result: Creating LaunchDaemon...
Traceback (most recent call last):
  File "/Library/Application Support/JAMF/tmp/macOS - Grant Temp Admin", line 93, in <module>
    plistlib.writePlist (launchDaemon, '/Library/LaunchDaemons/' + launchdFile)
AttributeError: module 'plistlib' has no attribute 'writePlist'

We're getting this latest error, but we can't figure out what's causing the issue.

@daniel_ross If you are using python 3 plistlib.writePlist has been deprecated: https://documentation.help/Python-3.7/plistlib.html we made a custom framework for Python 2 temporary to have it working while we wait to it is ready for python 3. 

We ended up working with some fellow admins looking to do the same and also monitor for any admin accounts made during the elevated time but have the ability to exclude some accounts from being demoted after the window ends.  I have included what we came up with below.

#!/bin/bash
#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
    else
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
        sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
        sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
fi
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
#initiate list of admins
admins=()
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        admins+=("${username}")
    fi
done
#remove all admins
for admin in ${admins[@]}; do
    /usr/sbin/dseditgroup -o edit -d $admin -t user admin
done
EOF
exit 0