MakeMeAnAdmin seems to work but does not change standard user to admin

GetCart3r
New Contributor III

I've tested this out a few times now and the script seems to work through the Self Service and we get the message "You now have administrative rights for 30 minutes....." but the user is still a standard user.

Is the "MakeMeAdmin" script still working for macOS Catalina?

Tomorrow I'm going to try and figure out the newer version here https://github.com/kc9wwh/MakeMeAdminPy but would have been good if I could get the basic one working before getting into the Py version that required more configuration.

Thank you,

12 REPLIES 12

bcbackes
Contributor III

Hello @GetCart3r. Are you referring to: https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh? If so, I used this script and it grants me Admin rights on my Catalina MacBook. I haven't tested or tried the newer version at all.

ronhunter212
New Contributor III

The best way i activated MMA was to have it part of my enrollment. Can you define how you are using it so that i can get a bit more clarity?

GetCart3r
New Contributor III

@ronhunter212 I think I'm missing something here. My understanding of MMA is to have it setup as a "Self Service" option which I have done and when the user needs admin they would go to Self Serve and "Install" MMA.

What is the purpose of setting it as an enrolment? Is it install the script/MMA else where for the user to select?

Do they not go to Self Service each time they need admin?

TY

Correct when the machine enrolls the MMA sets itself up in Our Self Service. Giving the user access to push the button when they need it

techjason
Contributor

@GetCart3r I have been using the version at https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh since the pandemic started and in works in Catalina fine.

We created two Self-Service Policies, one for one-time use and one for on-going use. We scoped a different static user group to each. Users are only added to groups on case-by-case basis. Most users are put in the one-time group, but some special users are put in the on-going group.

GetCart3r
New Contributor III

Thanks @techjason That's the script I'm using but it's not making any changes. I have it setup as ongoing and it installs through self serve. I'm using tge default script set to 30mins and it's still in "Self Serve" as "Reinstall". 903102ba8aef47bb9fc1713e52b766ec

a03d84d940c445648342e88c37366d86

walt
Contributor III

@GetCart3r are you keeping system preferenes open when performing the MMA self service item? or are you running MMA, then open system preferences? I can confirm MMA works with current 10.15 updates.

do you have the script and policy configuration we can look at?

GetCart3r
New Contributor III

@walt I've tested with System Preferences closed and multiple test computers. I have a feeling I'm missing something in the script that I need to add/adjust.

For testing I haven't changed anything short of the message.

#!/bin/bash

###############################################
# This script will provide temporary admin    #
# rights to a standard user right from self   #
# service. First it will grab the username of #
# the logged in user, elevate them to admin   #
# and then create a launch daemon that will   #
# count down from 30 minutes and then create  #
# and run a secondary script that will demote #
# the user back to a standard account. The    #
# launch daemon will continue to count down   #
# no matter how often the user logs out or    #
# restarts their computer.                    #
###############################################

#############################################
# find the logged in user and let them know #
#############################################

currentUser=$(who | awk '/console/{print $1}')
echo $currentUser

osascript -e 'display dialog "You now have administrative rights for 30 minutes. All system changes are logged." buttons {"Make me an admin, please"} default button 1'

#########################################################
# write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make           #
# sure it'll run, then load the daemon                 #
#########################################################

#Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

#Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"

#Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800

#Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes

#Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist

#Load the daemon 
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10

#########################
# make file for removal #
#########################

if [ ! -d /private/var/userToRemove ]; then
    mkdir /private/var/userToRemove
    echo $currentUser >> /private/var/userToRemove/user
    else
        echo $currentUser >> /private/var/userToRemove/user
fi

##################################
# give the user admin privileges #
##################################

/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin

########################################
# write a script for the launch daemon #
# to run to demote the user back and   #
# then pull logs of what the user did. #
########################################

cat << 'EOF' > /Library/Application Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
    userToRemove=$(cat /private/var/userToRemove/user)
    echo "Removing $userToRemove's admin privileges"
    /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
    rm -f /private/var/userToRemove/user
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
    rm /Library/LaunchDaemons/removeAdmin.plist
    log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF

exit 0

GetCart3r
New Contributor III

300b4f91fda44445aeafe1ae43ba21a1

eb6349f98824439aa849966cc4add320

walt
Contributor III

Are these LDAP or local accounts? I dont think it should make a difference but I copied & pasted your script and it worked fine on my local account test.

techjason
Contributor

@GetCart3r I have a question, do you have multiple users logged in at the same time?

I noticed that this will only work if you are the only user logged in. I remember this took me a while to figure out.

GetCart3r
New Contributor III

@walt I was using LDAP on one of my tests but into the video below this is a fresh iMac that I Erased and Installed Catalina on and same issue.

@techjason No other users are logged in. Fresh computer and install now with just the admin user and test user. You can see in the video below.

Video
https://photos.app.goo.gl/W5VUY3URPVvvnvcC6
.