- Jamf Nation Community
- Products
- Jamf Pro
- "Admin On-Demand"
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
"Admin On-Demand"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2022 09:33 AM
Just an FYI - I see Mosyle introduced a new feature "Admin On-Demand".
This might be a compelling solution. Wonder in Jamf has a similar tool in the works?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2022 10:24 AM
It is compelling. The action recording is certainly a nice have. Depends on how similar a tool you want? If it's just temporary privilege escalation then why ask Jamf to implement something when the SAP Privileges app can fill that need? It can be configured using an uploaded plist or custom schema to set it's preferences or build out a script or launch agent that can call the privileges-cli binary.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2022 06:15 AM
The key is in SAPs own support section.: This project is 'as-is' with no support, no changes being made. You are welcome to make changes to improve it but we are not available for questions or support of any kind.:
A lot of places need and expect support for the tools they've purchased, and to be told to just use an open source solution is both impractical as well as poor form. Seeing competitors constantly push out new tools or offerings while much of Jamf has seemingly stagnated or only really works because of community contribution, while being charged a premium for it, leaves a bad taste.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2022 08:08 AM - edited 04-13-2022 01:35 PM
Agree 100% just providing my own .02 cents opinion. Jamf should be considering this as they become more and more security focused each year. Narrowing the use of administrative accounts is a CIS control that I believe everyone should be implementing.
As far as deploying SAP Privileges here. I'm in the K12 EDU sector which often leans on community contributions and simpler tools like this pass the buck easily. It's that or scripting like the one suggestion below or providing an admin account without console login permissions.
Mosyle is a MDM only so I'm interested in how they're achieving this as I use Mosyle as well and they don't have a client side binary to fall back on like Jamf Pro. They're more in line with Jamf School.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2022 07:10 AM - edited 02-02-2022 07:11 AM
I use the following script to do grant temp admin access (note: not my script and I can't remember where I found it). I been using it since Catalina to Monterey with no issues.
I have it it a Self Service Policy with a static group
#!/bin/bash
###############################################
# This script will provide temporary admin #
# rights to a standard user right from self #
# service. First it will grab the username of #
# the logged in user, elevate them to admin #
# and then create a launch daemon that will #
# count down from 30 minutes and then create #
# and run a secondary script that will demote #
# the user back to a standard account. The #
# launch daemon will continue to count down #
# no matter how often the user logs out or #
# restarts their computer. #
###############################################
#############################################
# find the logged in user and let them know #
#############################################
currentUser=$(who | awk '/console/{print $1}')
echo $currentUser
osascript -e 'display dialog "You now have administrative rights for 5 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"Make me an admin, please"} default button 1'
#########################################################
# write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make #
# sure it'll run, then load the daemon #
#########################################################
#Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
#Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
#Set the run inverval to run every 7 days
# Change interger for time (in seconds), default set to 5 minutes - SMG
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 300
#Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
#Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
#Load the daemon
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10
#########################
# make file for removal #
#########################
if [ ! -d /private/var/userToRemove ]; then
mkdir /private/var/userToRemove
echo $currentUser >> /private/var/userToRemove/user
else
echo $currentUser >> /private/var/userToRemove/user
fi
##################################
# give the user admin privileges #
##################################
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
########################################
# write a script for the launch daemon #
# to run to demote the user back and #
# then pull logs of what the user did. #
########################################
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
userToRemove=$(cat /private/var/userToRemove/user)
echo "Removing $userToRemove's admin privileges"
/usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
rm -f /private/var/userToRemove/user
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
rm /Library/LaunchDaemons/removeAdmin.plist
log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-03-2022 08:17 AM
This is a Jamf-provided "MakeMeAndAdmin" solution from their Github repo.
https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-07-2022 11:09 AM
any clue on how to modify this to work for 24 hours instead of 30 minutes?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2022 11:16 AM
Is there a script to elevate users to Admin? I don't want temp access, I want to take a group in Okta and elevate them to Admin on their local devices.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2022 11:37 AM
dscl . -append /groups/admin GroupMembership USERNAME
