Posted on 01-22-2024 08:00 AM
We have an application, Coginiti Pro, that requires a user to have elevated rights before installing on the Mac, or else the install doesn't work correctly.
We use Jamf Pro, and currently I've added some text to the Self-Service installation page telling users they need to elevate their rights before running the install. We use the Privileges app for temporary rights elevation.
I was wondering if I could script this. The current Coginiti Pro install we use is a script rather than a PKG. I'd like to add some code to the script that says "check if the current user is running as a standard user". If so, I'd display a message reminding the user to elevate their rights before proceeding.
Is something like that possible?
Solved! Go to Solution.
Posted on 01-22-2024 08:40 AM
Sorry, I misread the original post. You'd want something like this:
#!/bin/sh
user=$(/usr/bin/who | /usr/bin/awk '/console/{ print $1 }')
adminneeded=$(/usr/bin/dsmemberutil checkmembership -U "$user" -G admin)
#Temporarily Grant Admin Rights to Standard User for App Install
if [[ "$adminneeded" == *not* ]]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
<<Do Work here>>
/usr/sbin/dseditgroup -o edit -d $user -t user admin
else
<<Do Work here>>
fi
exit 0
Posted on 01-22-2024 08:04 AM
Here's the Extension Attribute I use:
#!/bin/bash
# Script to detect if a computer has a local admin account on it with an UID of above 500
# Initialize array
list=()
# generate user list of users with UID greater than 500
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
# Any reported accounts are added to the array list
list+=("${username}")
fi
done
# Prints the array's list contents
echo "<result>${list[@]}</result>"
Posted on 01-22-2024 08:33 AM
as Self Service runs as root, why can't it be installed via Self Service?
Posted on 01-22-2024 08:39 AM
Remove the <results> and just have it echo the variable. The <results> field is for extension attributes only.
Posted on 01-22-2024 08:41 AM
The Coginiti Pro install runs as a script rather than a package. Our original Jamf packager stated this was done because of ongoing rights issues with the installer.
If a standard user runs the install from Self Service, they end up with a question mark icon for the application in their dock, and the dmg file doesn't get mounted and the application doesn't get installed into /Applications folder.
Everything works correctly if user has elevated their rights prior to the install.
Posted on 01-22-2024 08:47 AM
looks like its just a DMG from the vendor.. what happens if you use composer? just start composer.. modified.. start... then bin all the content, make an Applications folder, drag the app from the DMG to the Applications folder and make pkg from that? or use simple package creator?
Posted on 01-22-2024 08:40 AM
Sorry, I misread the original post. You'd want something like this:
#!/bin/sh
user=$(/usr/bin/who | /usr/bin/awk '/console/{ print $1 }')
adminneeded=$(/usr/bin/dsmemberutil checkmembership -U "$user" -G admin)
#Temporarily Grant Admin Rights to Standard User for App Install
if [[ "$adminneeded" == *not* ]]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
<<Do Work here>>
/usr/sbin/dseditgroup -o edit -d $user -t user admin
else
<<Do Work here>>
fi
exit 0
Posted on 02-13-2024 02:07 PM
Thanks for your explanation, Daniel. Wound up using code like this, based on your initial info:
#!/bin/sh
# Get user
user=$(/usr/bin/who | /usr/bin/awk '/console/{ print $1 }')
# check membership
adminneeded=$(/usr/bin/dsmemberutil checkmembership -U "$user" -G admin)
# If user not elevated, display notification.
# If user is elevated, perform the installation.
if [[ "$adminneeded" == *not* ]]; then
# User NOT elevated; show them the message
# user is a standard user and needs to be notified to elevate before running the install.
jh='/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper'
jh_args=(\
-windowType hud \
-title "TITLE" \
-heading "Elevated user rights required" \
-icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/com.apple.pro-display-xdr.icns \
-alignHeading left \
-button1 "OK" \
-defaultButton 1 \
-description \
)
message="Coginiti Pro requires elevated rights to install."
# display message to user and exit the script
"$jh" "${jh_args[@]}" "$message"; exit 1;
else
# run the install
fi
exit 0