Removing Local Admin Privileges - Limit Users

Take a look at following options this might make your life a little bit more easy 😉

https://github.com/SAP/macOS-enterprise-privileges 
https://www.beyondtrust.com

Hey Dolf,

Thanks for the response - I'm looking for something more in line to JamF.

Not having to use a third party application to take care of this as I'm already on JamF. 

In that case take a look at following this probably gives you an idea

https://community.jamf.com/t5/jamf-pro/promote-standard-account-to-admin-account/m-p/191499
https://community.jamf.com/t5/jamf-pro/policy-and-or-script-to-allow-user-to-administer-computer/td-p/268610
https://community.jamf.com/t5/jamf-pro/help-with-script-to-give-local-admin-rights-to-log-in-user/td-p/200660

Are you demoting your developers? If so, I would look into third-party apps. You don't want to be stuck troubleshooting their code and IDE installations. (plus sudo permissions in terminal) The shear amount of things that BeyondTrust manages for us is mind boggling. If this is for everyday users...then you should be okay unless they need installs (Something like installomator should solve that) or need to interact with specific system settings panes.

Yeah if that's what it's called. More or less I want it to operate like windows where if a user wants to install something or remove anything software wise they will need admin credentials from IT. There is no way to setup a policy to have this in place via jamf? 

my script to temporary admin (with 30 min timer)
Reference & Credit: https://github.com/pseymour/MakeMeAdmin

#!/bin/bash




###############################################

# This script will provide temporary admin    #

# rights to a standard user right from self   #

# service. First it will grab the username of #

# the logged in user, elevate them to admin   #

# and then create a launch daemon that will   #

# count down from 30 minutes and then create  #

# and run a secondary script that will demote #

# the user back to a standard account. The    #

# launch daemon will continue to count down   #

# no matter how often the user logs out or    #

# restarts their computer.                    #

###############################################




#############################################

# find the logged in user and let them know #

#############################################




currentUser=$(who | awk '/console/{print $1}')

echo $currentUser




osascript -e 'display dialog "You now have administrative rights for 30 minutes. " buttons {"Make me an admin, please"} default button 1'




#########################################################

# write a daemon that will let you remove the privilege #

# with another script and chmod/chown to make  #

# sure it'll run, then load the daemon #

#########################################################




#Create the plist

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"




#Add program argument to have it run the update script

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"




#Set the run inverval to run every 7 days

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800




#Set run at load

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes




#Set ownership

sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist

sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist




#Load the daemon 

launchctl load /Library/LaunchDaemons/removeAdmin.plist

sleep 10




#########################

# make file for removal #

#########################




if [ ! -d /private/var/userToRemove ]; then

 mkdir /private/var/userToRemove

 echo $currentUser >> /private/var/userToRemove/user

 else

 echo $currentUser >> /private/var/userToRemove/user

fi




##################################

# give the user admin privileges #

##################################




/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin




#####################################

# Prompts a timer and cancel button #

#####################################

 CancelbuttonClicked=$(/Library/Application\\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper \\

 -windowType hud \\

 -lockHUD \\

 -title "Admin Access Timer" \\

 -heading "You have been granted Admin access." \\

 -description "The admin access will be lost if the computer has been restarted or logged out." \\

    -icon "/Applications/Install macOS Mojave.app/Contents/Resources/InstallAssistant.icns" \\

 -iconSize 28 \\

 -button1 "Cancel Admin" \\

    -defaultbutton "1" \\

 -countdown \\

 -timeout 1800) 

if [ $CancelbuttonClicked == 0 ]; then

    echo "Cancel button pressed"

    osascript -e 'display notification "Your admin privileges have been revoked." with title "Admin Access Timer"'

    /usr/sbin/dseditgroup -o edit -d $currentUser -t user admin

    launchctl unload /Library/LaunchDaemons/removeAdmin.plist

    rm /Library/LaunchDaemons/removeAdmin.plist

    echo "Admin privileges revoked."

fi

########################################

# write a script for the launch daemon #

# to run to demote the user back and   #

# then pull logs of what the user did. #

########################################




cat << 'EOF' > /Library/Application\\ Support/JAMF/removeAdminRights.sh

if [[ -f /private/var/userToRemove/user ]]; then

 userToRemove=$(cat /private/var/userToRemove/user)

 echo "Removing $userToRemove's admin privileges"

 /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin

 rm -f /private/var/userToRemove/user

 log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive

    launchctl unload /Library/LaunchDaemons/removeAdmin.plist

 rm /Library/LaunchDaemons/removeAdmin.plist




fi

EOF




exit 0