Jamf Nation Community

You could look at a popular temporary admin rights method here.

Why a year?

Also check out the session presented at JNUC 2013
Getting Users to Do Your Job (Without Them Knowing It) by @Andrina

why a year... I have no idea, that's what the PC side has w/ over 70k machines, so they want the mac's to do the same.

the self service method got shot down because then there wouldn't be any governance over who got or didn't get them.

I don't think you're looking at it from the right angle.

You'd scope it to the person you're giving admin rights to, not make it available for everyone.

technically, we are granting admin to all local accounts per machine, how would that change to give to specific account per machine?

and we'd still have the max of 1yr issue I guess, but maybe that would be a moot point. I submitted the question to the interested parties...

If you're granting admin to all local users on the machine, add the staff group to the admin group in OS X. That should automatically grant all the local users admin rights on a machine, but not include AD users.

That said, If you're granting admin to all local users anyway; where does the governance angle come in?

@rtrouton we don't actually want allusers to have admin on the box, it was just how the script ran. We'd much prefer just the requested user.

How does this user actually request admin rights? Let's assume there's some process that lands them in an AD group; you could create a policy scoped to this group, triggered by whatever makes sense to you (check-in, all, whatever). It would run a modified version of the "temporary admin" script referenced above, which would add the user to the admin group, and then create a launchdaemon with the current date +1 year CalendarStartInterval which removes the admin rights.