- Jamf Nation Community
- Products
- Jamf Pro
- Re: Removing Local Admin Privileges - Limit Users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Removing Local Admin Privileges - Limit Users
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2023 09:40 AM
I was searching around and looking for a possible way to start removing/limiting what users can install/do on there own. I run everything on JamF and I wanted to start cracking down on this as our windows machines are pretty locked down on what a local user can do.
(Removes Local Admin.)
(Replace USERNAME with the user's name that you’d like to remove from admin.)
dseditgroup -o edit -d USERNAME -t user admin
—----------------------------------------------------
(One user per machine.)
#!/bin/sh
LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
dseditgroup -o edit -d $LoggedInUser -t user admin
—----------------------------------------------------
(Change Standard Member -D to Admin Account -A.)
dseditgroup -o edit -a $LoggedInUser -t user admin
I found and formatted/referenced these scripts and I was wondering if this is still what is used for 2019+ MBP's. Mainly the new M1/M2 devices before I start a test environment.
Thank you for the future replies/guidance.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2023 10:48 AM
Take a look at following options this might make your life a little bit more easy 😉
https://github.com/SAP/macOS-enterprise-privileges
https://www.beyondtrust.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2023 10:54 AM - edited 06-12-2023 10:55 AM
Hey Dolf,
Thanks for the response - I'm looking for something more in line to JamF.
Not having to use a third party application to take care of this as I'm already on JamF.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2023 11:06 AM
In that case take a look at following this probably gives you an idea
https://community.jamf.com/t5/jamf-pro/promote-standard-account-to-admin-account/m-p/191499
https://community.jamf.com/t5/jamf-pro/policy-and-or-script-to-allow-user-to-administer-computer/td-...
https://community.jamf.com/t5/jamf-pro/help-with-script-to-give-local-admin-rights-to-log-in-user/td...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2023 04:17 PM
Are you demoting your developers? If so, I would look into third-party apps. You don't want to be stuck troubleshooting their code and IDE installations. (plus sudo permissions in terminal) The shear amount of things that BeyondTrust manages for us is mind boggling. If this is for everyday users...then you should be okay unless they need installs (Something like installomator should solve that) or need to interact with specific system settings panes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2023 02:42 PM
Yeah if that's what it's called. More or less I want it to operate like windows where if a user wants to install something or remove anything software wise they will need admin credentials from IT. There is no way to setup a policy to have this in place via jamf?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2023 11:49 AM
my script to temporary admin (with 30 min timer)
Reference & Credit: https://github.com/pseymour/MakeMeAdmin
#!/bin/bash
###############################################
# This script will provide temporary admin #
# rights to a standard user right from self #
# service. First it will grab the username of #
# the logged in user, elevate them to admin #
# and then create a launch daemon that will #
# count down from 30 minutes and then create #
# and run a secondary script that will demote #
# the user back to a standard account. The #
# launch daemon will continue to count down #
# no matter how often the user logs out or #
# restarts their computer. #
###############################################
#############################################
# find the logged in user and let them know #
#############################################
currentUser=$(who | awk '/console/{print $1}')
echo $currentUser
osascript -e 'display dialog "You now have administrative rights for 30 minutes. " buttons {"Make me an admin, please"} default button 1'
#########################################################
# write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make #
# sure it'll run, then load the daemon #
#########################################################
#Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
#Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
#Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
#Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
#Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
#Load the daemon
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10
#########################
# make file for removal #
#########################
if [ ! -d /private/var/userToRemove ]; then
mkdir /private/var/userToRemove
echo $currentUser >> /private/var/userToRemove/user
else
echo $currentUser >> /private/var/userToRemove/user
fi
##################################
# give the user admin privileges #
##################################
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#####################################
# Prompts a timer and cancel button #
#####################################
CancelbuttonClicked=$(/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \
-windowType hud \
-lockHUD \
-title "Admin Access Timer" \
-heading "You have been granted Admin access." \
-description "The admin access will be lost if the computer has been restarted or logged out." \
-icon "/Applications/Install macOS Mojave.app/Contents/Resources/InstallAssistant.icns" \
-iconSize 28 \
-button1 "Cancel Admin" \
-defaultbutton "1" \
-countdown \
-timeout 1800)
if [ $CancelbuttonClicked == 0 ]; then
echo "Cancel button pressed"
osascript -e 'display notification "Your admin privileges have been revoked." with title "Admin Access Timer"'
/usr/sbin/dseditgroup -o edit -d $currentUser -t user admin
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
rm /Library/LaunchDaemons/removeAdmin.plist
echo "Admin privileges revoked."
fi
########################################
# write a script for the launch daemon #
# to run to demote the user back and #
# then pull logs of what the user did. #
########################################
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
userToRemove=$(cat /private/var/userToRemove/user)
echo "Removing $userToRemove's admin privileges"
/usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
rm -f /private/var/userToRemove/user
log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
rm /Library/LaunchDaemons/removeAdmin.plist
fi
EOF
exit 0
Reply
