Jamf Nation Community

The best way i activated MMA was to have it part of my enrollment. Can you define how you are using it so that i can get a bit more clarity?

@ronhunter212 I think I'm missing something here. My understanding of MMA is to have it setup as a "Self Service" option which I have done and when the user needs admin they would go to Self Serve and "Install" MMA.

What is the purpose of setting it as an enrolment? Is it install the script/MMA else where for the user to select?

Do they not go to Self Service each time they need admin?

TY

@GetCart3r I have been using the version at https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh since the pandemic started and in works in Catalina fine.

We created two Self-Service Policies, one for one-time use and one for on-going use. We scoped a different static user group to each. Users are only added to groups on case-by-case basis. Most users are put in the one-time group, but some special users are put in the on-going group.

Thanks @techjason That's the script I'm using but it's not making any changes. I have it setup as ongoing and it installs through self serve. I'm using tge default script set to 30mins and it's still in "Self Serve" as "Reinstall".

@GetCart3r are you keeping system preferenes open when performing the MMA self service item? or are you running MMA, then open system preferences? I can confirm MMA works with current 10.15 updates.

do you have the script and policy configuration we can look at?

@walt I've tested with System Preferences closed and multiple test computers. I have a feeling I'm missing something in the script that I need to add/adjust.

For testing I haven't changed anything short of the message.

#!/bin/bash

###############################################
# This script will provide temporary admin    #
# rights to a standard user right from self   #
# service. First it will grab the username of #
# the logged in user, elevate them to admin   #
# and then create a launch daemon that will   #
# count down from 30 minutes and then create  #
# and run a secondary script that will demote #
# the user back to a standard account. The    #
# launch daemon will continue to count down   #
# no matter how often the user logs out or    #
# restarts their computer.                    #
###############################################

#############################################
# find the logged in user and let them know #
#############################################

currentUser=$(who | awk '/console/{print $1}')
echo $currentUser

osascript -e 'display dialog "You now have administrative rights for 30 minutes. All system changes are logged." buttons {"Make me an admin, please"} default button 1'

#########################################################
# write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make           #
# sure it'll run, then load the daemon                 #
#########################################################

#Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

#Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"

#Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800

#Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes

#Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist

#Load the daemon 
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10

#########################
# make file for removal #
#########################

if [ ! -d /private/var/userToRemove ]; then
    mkdir /private/var/userToRemove
    echo $currentUser >> /private/var/userToRemove/user
    else
        echo $currentUser >> /private/var/userToRemove/user
fi

##################################
# give the user admin privileges #
##################################

/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin

########################################
# write a script for the launch daemon #
# to run to demote the user back and   #
# then pull logs of what the user did. #
########################################

cat << 'EOF' > /Library/Application Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
    userToRemove=$(cat /private/var/userToRemove/user)
    echo "Removing $userToRemove's admin privileges"
    /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
    rm -f /private/var/userToRemove/user
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
    rm /Library/LaunchDaemons/removeAdmin.plist
    log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF

exit 0

Are these LDAP or local accounts? I dont think it should make a difference but I copied & pasted your script and it worked fine on my local account test.

@GetCart3r I have a question, do you have multiple users logged in at the same time?

I noticed that this will only work if you are the only user logged in. I remember this took me a while to figure out.

@walt I was using LDAP on one of my tests but into the video below this is a fresh iMac that I Erased and Installed Catalina on and same issue.

@techjason No other users are logged in. Fresh computer and install now with just the admin user and test user. You can see in the video below.

Video
https://photos.app.goo.gl/W5VUY3URPVvvnvcC6
.