Help

Smart Group for MakeMeAdmin

Go to solution
Graves
New Contributor

Posted on ‎10-22-2013 12:40 PM

This may be in the slides when they are posted. What is the Smart Group criteria for catching the computers that need to run removeTempAdmin.sh?

Labels:
0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎10-22-2013 12:48 PM

I don't believe @Andrina is using an SG to capture who needs it removed. She is doing it with a LaunchDaemon that is dropped when the user is granted temp admin. It's in the TempAdmin.sh script.

You could edit that TempAdmin.sh script to touch a file in /Library/Application Support/JAMF/Receipts and scope off of that if you want to keep track of them. You'd of course need to also remove that when you removed temp admin rights and re-run a recon.

View solution in original post

0 Kudos
Reply

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎10-22-2013 01:19 PM

RemoveTempAdmin.sh gets called by the LaunchDaemon. It is a policy with a custom trigger. See this portion of the LaunchDaemon code in TempAdmin.sh:

<key>ProgramArguments</key> 
    <array> 
        <string>/usr/sbin/jamf</string>
        <string>policy</string>
        <string>-trigger</string>
        <string>adminremove</string>
    </array>

That is the meat of the LaunchD. It calls the jamf binary using the following syntax:

/usr/sbin/jamf policy -trigger adminremove

So you'd have to have your removal policy set to trigger off of "adminremove".

Make sense?

View solution in original post

0 Kudos
Reply
5 REPLIES 5

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎10-22-2013 12:48 PM

I don't believe @Andrina is using an SG to capture who needs it removed. She is doing it with a LaunchDaemon that is dropped when the user is granted temp admin. It's in the TempAdmin.sh script.

You could edit that TempAdmin.sh script to touch a file in /Library/Application Support/JAMF/Receipts and scope off of that if you want to keep track of them. You'd of course need to also remove that when you removed temp admin rights and re-run a recon.

0 Kudos
Reply

Go to solution
Graves
New Contributor

Posted on ‎10-22-2013 01:04 PM

I guess I'm confused on how removeTempAdmin.sh gets called from JSS. TempAdmin.sh creates the plist and grants the admin access. The LaunchDaemon then removes the admin access after the allotted time. I thought at that time the computer attempts to talk to the JSS to see if there are any policies to run, and because of a Smart Group, it runs the removeTempAdmin.sh to remove the plist. This may be me blending two different sessions or topics together though.

0 Kudos
Reply

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎10-22-2013 01:19 PM

RemoveTempAdmin.sh gets called by the LaunchDaemon. It is a policy with a custom trigger. See this portion of the LaunchDaemon code in TempAdmin.sh:

<key>ProgramArguments</key> 
    <array> 
        <string>/usr/sbin/jamf</string>
        <string>policy</string>
        <string>-trigger</string>
        <string>adminremove</string>
    </array>

That is the meat of the LaunchD. It calls the jamf binary using the following syntax:

/usr/sbin/jamf policy -trigger adminremove

So you'd have to have your removal policy set to trigger off of "adminremove".

Make sense?

0 Kudos
Reply

Go to solution
Graves
New Contributor

Posted on ‎10-22-2013 01:41 PM

Yes! Thanks so much.

0 Kudos
Reply

Go to solution
Andrina
Contributor
Contributor

Posted on ‎10-23-2013 11:58 AM

Exactly what Steve said :-) Thanks @stevewood

0 Kudos
Reply