Smart Group for MakeMeAdmin

Graves
New Contributor

This may be in the slides when they are posted. What is the Smart Group criteria for catching the computers that need to run removeTempAdmin.sh?

2 ACCEPTED SOLUTIONS

stevewood
Honored Contributor II
Honored Contributor II

I don't believe @Andrina is using an SG to capture who needs it removed. She is doing it with a LaunchDaemon that is dropped when the user is granted temp admin. It's in the TempAdmin.sh script.

You could edit that TempAdmin.sh script to touch a file in /Library/Application Support/JAMF/Receipts and scope off of that if you want to keep track of them. You'd of course need to also remove that when you removed temp admin rights and re-run a recon.

View solution in original post

stevewood
Honored Contributor II
Honored Contributor II

RemoveTempAdmin.sh gets called by the LaunchDaemon. It is a policy with a custom trigger. See this portion of the LaunchDaemon code in TempAdmin.sh:

<key>ProgramArguments</key> 
    <array> 
        <string>/usr/sbin/jamf</string>
        <string>policy</string>
        <string>-trigger</string>
        <string>adminremove</string>
    </array>

That is the meat of the LaunchD. It calls the jamf binary using the following syntax:

/usr/sbin/jamf policy -trigger adminremove

So you'd have to have your removal policy set to trigger off of "adminremove".

Make sense?

View solution in original post

5 REPLIES 5

stevewood
Honored Contributor II
Honored Contributor II

I don't believe @Andrina is using an SG to capture who needs it removed. She is doing it with a LaunchDaemon that is dropped when the user is granted temp admin. It's in the TempAdmin.sh script.

You could edit that TempAdmin.sh script to touch a file in /Library/Application Support/JAMF/Receipts and scope off of that if you want to keep track of them. You'd of course need to also remove that when you removed temp admin rights and re-run a recon.

Graves
New Contributor

I guess I'm confused on how removeTempAdmin.sh gets called from JSS. TempAdmin.sh creates the plist and grants the admin access. The LaunchDaemon then removes the admin access after the allotted time. I thought at that time the computer attempts to talk to the JSS to see if there are any policies to run, and because of a Smart Group, it runs the removeTempAdmin.sh to remove the plist. This may be me blending two different sessions or topics together though.

stevewood
Honored Contributor II
Honored Contributor II

RemoveTempAdmin.sh gets called by the LaunchDaemon. It is a policy with a custom trigger. See this portion of the LaunchDaemon code in TempAdmin.sh:

<key>ProgramArguments</key> 
    <array> 
        <string>/usr/sbin/jamf</string>
        <string>policy</string>
        <string>-trigger</string>
        <string>adminremove</string>
    </array>

That is the meat of the LaunchD. It calls the jamf binary using the following syntax:

/usr/sbin/jamf policy -trigger adminremove

So you'd have to have your removal policy set to trigger off of "adminremove".

Make sense?

Graves
New Contributor

Yes! Thanks so much.

Andrina
Contributor
Contributor

Exactly what Steve said :-) Thanks @stevewood