09-09-2021 12:55 PM - edited 09-09-2021 12:56 PM
Trying to run command to apply a policy with a customer trigger. The logged in user is NOT a local admin. The command prompts for admin password, but is not accepting the local admin credentials. However, when I sign into the local admin account and run the command, it doesn't have any problem with it.
I'm attempting to use a custom trigger to apply a "Make Me Admin" script to give a local non-admin user temporary admin rights. The policy must be run while logged into the end user account as the associate script elevates the current logged in user. The custom trigger is thought to be provided to our contracted service desk who does not have access to our Jamf Cloud instance or the local admin password for the device. The idea being if they needed to provide administrative credentials via remote support session, they could run this command to elevate the local user and assist them on the spot.
How can I make it so the local admin password is accepted on a terminal command being run with a non-sudo user logged into the device?
Posted on 09-09-2021 01:00 PM
You can't within that session without a step . But can run
su [USERNAME] or login [USERNAME]
Switch to whatever user, then
sudo jamf policy -event xyz
Posted on 09-10-2021 02:09 PM
Agree with @boberito! I regularly use the handy "su" command to switch user when a standard user is logged in and I need to "sudo" a command. Alternatively, I provide script policies in Self Service that users can run at will for high frequency items. That eliminates the need for a terminal command and/or switching users.
Posted on 09-13-2021 03:45 PM
For what you're attempting to do with the MakeMeAdmin script, you should just put that into Self Service I would think. That's one of the primary reasons Self Service exists - to allow non admins to run curated admin level installs/scripts/functions without actually needing to be an admin.
If you need to restrict the Self Service policy to only people in your contracted service desk, then if your Jamf server is connected to AD or another directory service, you may be able to set up optional Self Service login so they can log in to the app first, then have it appear for them.