Contributor III


I would like to have an option for certain enrolled users to be able to restore their admin privileges without a restriction (time, etc). I removed the timer lines in the above script, as the prompt was a nice user notification, but it seemed to revert to a standard account within a few minutes.

Also, for extended periods of admin requests, such as 1 month, 6 months, 1 year, is there a recommended way to assign those in jamf, perhaps not based on AD group details.



Contributor II

running this as a script in a policiy:
sudo dscl . -append /groups/admin GroupMembership $3
will assign admin rights to the logged on user.

you could probably use an enrolment date trigger to run a similar script for it to remove the rights after a desired time period.

Contributor II

If your attempting to do something along these lines, to allow kids to do something specific with admin rights, it would be suggested to revoke access to the user and accounts preferences menu item, and terminal, as they will generate their own admin accounts while they have admin rights.

Contributor III

This is not in an educational environment, but if users do create additional accounts while circumventing our policies or abusing admin privileges that's no longer an IT problem.

I was able to test the following script to grant full admin rights back to the user:


# define jamfhelper location

jhelp="/Library/Application Support/JAMF/bin/"

# dseditgroup to promote the currently logged in user to admin rights

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
    then /bin/echo "$3 is in the admin group, exiting"
        exit 0
    else /bin/echo "$3 is not an admin, promoting.." 

/usr/sbin/dseditgroup -o edit -a $3 -t user admin

"$jhelp" -windowType utility -title "User Admin Privileges" -description "Admin privileges restored." -button1 "OK"

However I do notice if i use MakeMeAdmin and set the timer for 60 minutes, and the user requires a restart during their use or installation, it reverts back to the standard account. Is this expected behavior?