Posted on 06-11-2020 08:17 PM
Referencing https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh
I would like to have an option for certain enrolled users to be able to restore their admin privileges without a restriction (time, etc). I removed the timer lines in the above script, as the prompt was a nice user notification, but it seemed to revert to a standard account within a few minutes.
Also, for extended periods of admin requests, such as 1 month, 6 months, 1 year, is there a recommended way to assign those in jamf, perhaps not based on AD group details.
thanks!
Posted on 06-11-2020 10:29 PM
running this as a script in a policiy:
sudo dscl . -append /groups/admin GroupMembership $3
will assign admin rights to the logged on user.
you could probably use an enrolment date trigger to run a similar script for it to remove the rights after a desired time period.
Posted on 06-11-2020 10:36 PM
If your attempting to do something along these lines, to allow kids to do something specific with admin rights, it would be suggested to revoke access to the user and accounts preferences menu item, and terminal, as they will generate their own admin accounts while they have admin rights.
Posted on 06-12-2020 07:17 AM
This is not in an educational environment, but if users do create additional accounts while circumventing our policies or abusing admin privileges that's no longer an IT problem.
I was able to test the following script to grant full admin rights back to the user:
#!/bin/sh
# define jamfhelper location
jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# dseditgroup to promote the currently logged in user to admin rights
if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
then /bin/echo "$3 is in the admin group, exiting"
exit 0
else /bin/echo "$3 is not an admin, promoting.."
fi
/usr/sbin/dseditgroup -o edit -a $3 -t user admin
"$jhelp" -windowType utility -title "User Admin Privileges" -description "Admin privileges restored." -button1 "OK"
However I do notice if i use MakeMeAdmin
and set the timer for 60 minutes, and the user requires a restart during their use or installation, it reverts back to the standard account. Is this expected behavior?