Posted on 10-07-2022 12:23 PM
I am putting together a simple script that will allow a user, when added to the appropriate scope, to have access to a button on self-service that will promote the user to a local admin for a preset number of minutes, Say 15 minutes. Then after the 15-minute interval expires, the script removes them from the admin group.
It works but during that 15-minute interval, the self-service icon spins the in-progress wheel.
I would prefer it to execute and have the self-service button complete, then in 15 minutes demote the user.
It is likely the command I am using to sleep for 900 seconds.
#!/bin/bash
## query the system for the current console user with the loginwindow
user=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
## add that user to the admin group
dseditgroup -o edit -a $user -t user admin;
## after fifteen minutes
sleep 900;
## remove that user from admin group
dseditgroup -o edit -d $user -t user admin;
Posted on 10-07-2022 05:21 PM
Yes, the issue is that the script is still running.
You could create a hidden file when promoting the user to admin and use it in an EA. The EA would be criteria from a smart group. If the hidden file exists, the machine is placed into the smart group. The smart group is scoped to a policy which sleeps 900 seconds, demotes the current user, removes the hidden file, and runs inventory collection.
After the hidden file is created (signifying the user is promoted) make sure to either run inventory collection in the maintenance payload in the policy, or do a recon in your script. This will make sure the EA gets updated.
Other policies will be blocked from running while the sleep is occurring, just fyi.