Posted on 09-17-2020 04:54 AM
Just curious if anyone has had the need to do this.
I am using a LAPS like password rotation policy and I want to run this on the account our IT techs setup. However i dont want it to rotate the password until after they have completed setting up the device.
The easiest way for this, I think is to simply not run the policy if our Helpdesk account is currently logged in. If this is not possible I think I can just do an IF statement in the script with $3 to do a check for this.
Curious on peoples thoughts who are wiser than I.
Posted on 09-17-2020 05:44 AM
I would always use a Self Service policy if I want to run it when I login then run it when I am ready.
You can scope based on users and just add the account/s you want to be able to run the policy. You can also put users acconts in the exclusions section.
You would have to have your Helpdesk account setup in Jamf. I've only done this sort of thig with a Jamf LDAP account. Not sure it would work with a standard account and a local ID on the mac.
Posted on 09-17-2020 06:23 AM
You could add something like this to the beginning of your script.
#!/bin/sh
consoleUser=$( /usr/bin/stat -f%Su /dev/console )
if [ "$consoleUser" == "ITADMING" ] || [ "$consoleUser" == "SOMEOTHERUSER" ]; then
echo "Console user is: $consoleUser not rotating password"
exit 0;
fi