Privileges app and PPC fun

New Contributor II

So I am doing a POC using the SAP privileges app and the @rtrouton mastery, as defined by the flow here, which allows for the extending of privileges for a given user:

I'm (perhaps unsurprisingly) running into PPPC issues. The final piece of the puzzle relies on a Jamf policy called by a script which is checking the timing of the admin privileges. In other words, if the user has exceeded the time limit, a call is made to Jamf (via custom event) to run a script asking if you need more time or should be demoted to standard user (and BTW using Jamf because "demoting locally without use of jamfPro would require you to sign the script AND there are no auditable logs")

But I can not get the pop-up box asking the question about a possible extension to show up. This is an osascript piece built into the script run by the jamf policy. I have tried creating a PPPC config profile allowing Finder access by Jamf, osascript and terminal, and none of them seem to work... Of course allowing it manually (when prompted initially by the Mac GUI) works great, but I'd like to avoid this for the end user and have it all be seamless.

I realize I said PPPC and seamless in the same post, forgive me.

Has anybody dealt with this? Am I missing something obvious here?


Contributor II

I might have had a similar issue and solved by using something like osascript -e 'text returned of (display dialog "The question you want to ask the user?" default answer "" buttons "Okay" default button 1)'

Release Candidate Programs Tester

Don't know if it suits your needs, but I opted for a simpler approach for a fixed-period promotion. It doesn't prompt the user when they are demoted, but they can easily just promote themselves again.

This script is designed to be run from Self Service, and uses Parameter 4 to set the number of minutes that the user should be elevated. It writes and runs a temporary script on the client, which runs for the duration of that time, just by using a sleep command between the PrivilegesCLI --add and PrivilegesCLI --remove commands. That script is called as a background process from the Jamf script so that the policy doesn't need to run for the duration of the period. It also writes a LaunchAgent to return the user to standard on login in case they do clever things like kill the process.

I've only just released this so time will tell if it's effective. Initial tests are good.

New Contributor II

@grahamrpugh How are you preventing users from just running the PrivilegesCLI or the app themselves?