Jamf Nation Community

Sussed it. We're 9.92 and got it down to two scripts in two policies, (MakeMeAdmin) MMA_Add.sh and MMA_Remove.sh. MMA_remove is triggered with a custom event adminremove.

During testing I cut the admin access down to 32 seconds, but that's a single line variable to edit. How quick can your users install the network adapter? ;-) I also a jamf display message reminding user they're no longer admin.

#!/bin/bash
##############
# This script will make a user a local admin until the removal script runs.
# At the end of the 30 minutes it will then call a jamf policy with a manual trigger.
# Remove the users admin rights and disable the plist file this creates and activites.
# The removal script is MMA_remove.sh
##############
# Taken from https://github.com/andrina/JNUC2013
# Made 180 by Mark and TJ, 20160519

MOUNT_POINT="$1"
# COMPUTER_NAME="$2"
# USER_NAME="$3"

# Core parameters
# Duration in seconds, 1800 being 30mins
ADMIN_DURATION=1800
# See Andrian github for her HTML
WEBPAGE="http://somewhereyoucanhosthtmlandwillsendmail"

# Construct user and path information
CONSOLE_USER=`who | grep console | awk '{print $1}'`
LAUNCHD_LABEL="com.YOURCOMPANY.adminremove"
LAUNCHD_PLIST="$MOUNT_POINT/Library/LaunchDaemons/$LAUNCHD_LABEL.plist"
RECEIPT_FILE="$MOUNT_POINT/Library/Application Support/JAMF/Receipts/$LAUNCHD_LABEL.plist.dmg"
LOGFILE="$MOUNT_POINT/var/log/make-me-admin.log"
STATE_FOLDER="$MOUNT_POINT/var/uits"
STATE_FILE="$STATE_FOLDER/userToRemove"


# Do not process these users, as they are sensitive accounts.
declare -a BLACKLIST_USERS
BLACKLIST_USERS=(root ADMINUSER CASPERADMINUSER)
BLACKLIST_END=2 # NOTE: Zero-indexed

# Filter out attempts to change state for blacklisted users
for i in $(seq 0 $BLACKLIST_END); do
    if [ "${BLACKLIST_USERS[$i]}" == "$CONSOLE_USER" ]; then
        echo "User $CONSOLE_USER is not eligible for becoming admin. Exiting."
        exit 2
    fi
done

if /usr/sbin/dseditgroup -o checkmember -m "$CONSOLE_USER" -t user admin; then
    echo "User $CONSOLE_USER is already an admin. Exiting"
    exit 1
else
    echo "User $CONSOLE_USER is eligible to become admin."
fi


# Open the webpage and allow the user to start filling in details
sudo -u "$CONSOLE_USER" open "$WEBPAGE"

# Construct Launchd plist in-place
defaults write "$LAUNCHD_PLIST" Label -string "$LAUNCHD_LABEL"
defaults write "$LAUNCHD_PLIST" ProgramArguments -array /usr/local/bin/jamf policy -trigger adminremove
defaults write "$LAUNCHD_PLIST" StartInterval -integer $ADMIN_DURATION
chmod 644 "$LAUNCHD_PLIST"
chown root:wheel "$LAUNCHD_PLIST"

# Ensure that user state is stored
mkdir "$STATE_FOLDER"
TIME=`date "+%Y-%m-%d %H:%M:%S"`
echo "$TIME Adding $CONSOLE_USER to admin group" | /usr/bin/tee -a "$LOGFILE"

echo $CONSOLE_USER >> "$STATE_FILE"

# Create a reciept file to prove that software has been installed
touch "$RECEIPT_FILE"
chown root:admin "$RECEIPT_FILE"

# Load and enable the removal plist timer
launchctl load -w "$LAUNCHD_PLIST"

# Finally, attempt to grant local admin rights.
/usr/sbin/dseditgroup -n . -o edit -a "$CONSOLE_USER" -t user admin

exit $?

And

#!/bin/bash
##############
# This is the removal script for the MMA_add.sh script.
# It will remove the user from the admin group. Then
# will disable the plist that calls this script.
##############
# Taken from https://github.com/andrina/JNUC2013
# Made 180 by Mark and TJ, 20160519
#
MOUNT_POINT="$1"
# COMPUTER_NAME="$2"
# USER_NAME="$3"

LAUNCHD_LABEL="com.YOURCOMPANY.adminremove"
LAUNCHD_PLIST="$MOUNT_POINT/Library/LaunchDaemons/$LAUNCHD_LABEL.plist"
RECEIPT_FILE="$MOUNT_POINT/Library/Application Support/JAMF/Receipts/$LAUNCHD_LABEL.plist.dmg"
LOGFILE="$MOUNT_POINT/var/log/make-me-admin.log"
STATE_FOLDER="$MOUNT_POINT/var/uits"
STATE_FILE="$STATE_FOLDER/userToRemove"
CONSOLE_USER=`who | grep console | awk '{print $1}'`

# Do not process these users, as they are sensitive accounts.
declare -a BLACKLIST_USERS
BLACKLIST_USERS=(root ADMINUSER CASPERADMINUSER)
BLACKLIST_END=2 # NOTE: Zero-indexed

#LDAP Group, IT department or departments with admin access already; devs, XSAN users
declare -a BLACKLIST_GROUPS
BLACKLIST_GROUPS=(ANYGROUPSTOBLACKLIST)

SHOULD_CLEANUP=1
if [[ -f "$STATE_FILE" ]]; then
    USER_NAME=`cat "$STATE_FILE"`

    if [[ -z "$USER_NAME" ]]; then
        SHOULD_CLEANUP=0
    else
        # Filter out attempts to change state for blacklisted users
        for i in $(seq 0 $BLACKLIST_END); do
            if [ "${BLACKLIST_USERS[$i]}" == "$USER_NAME" ]; then
                echo "User $USER_NAME must remain as an admin. Exiting."
                exit 2
            fi
        done

        # TODO check for group membership before attempting to remove from group
        TIME=`date "+%Y-%m-%d %H:%M:%S"`
        cat "$STATE_FILE" | tr "
" "�" | 
            xargs -0 -n1 -I{} echo "$TIME Removing {} from admin group" | tee -a "$LOGFILE"
        cat "$STATE_FILE" | tr "
" "�" | 
            xargs -0 -n1 -I{} /usr/sbin/dseditgroup -o edit -d "{}" -t user admin
        SHOULD_CLEANUP=0
    fi
else
    SHOULD_CLEANUP=0
fi

# Successful runs or missing state should trigger cleanup
# Thorough logging used when testing
echo "Disabling Daemon..." | tee -a "$LOGFILE"
/bin/launchctl disable "$LAUNCHD_PLIST"
echo "Cleaning..." | tee -a "$LOGFILE"
/bin/rm -f "$STATE_FILE"
echo "Deleted $STATE_FILE" | tee -a "$LOGFILE"
/bin/rm -f "$RECEIPT_FILE"
echo "Deleted $RECEIPT_FILE" | tee -a "$LOGFILE"
/bin/rm -f "$LAUNCHD_PLIST"
echo "Deleted $LAUNCHD_PLIST" | tee -a "$LOGFILE"
echo "$TIME $CONSOLE_USER removed from admin group" | tee -a "$LOGFILE"
/usr/local/jamf/bin/jamf displayMessage -message "You are no longer an administator."
exit 0

@markkenny I've managed to create two policies, each with one of the two scripts you've provided. For testing purposes, I've changed the admin duration to five minutes.

The first policy (MMA_Add) works correctly, and runs the MMA_Add.sh script that adds current user to the Admins group.
The second policy (MMA_Remove) is triggered by a Custom event called adminremove, and its Execution Frequency is Ongoing.

Five minutes after MMA_Add is run, the second triggers, and runs repeatedly every five minutes after the first policy. The user is removed from the Admin group the first time it runs, but it won't stop running, and writes a Completed, successful log entry in JSS every five minutes too.

Here's an example log of the MMA_Remove policy (I've removed my company's name). It appears to have done everything required to disable the .plist (and thus, if I understand correctly, prevent the 2nd policy from running again).

Executing Policy MMA_Remove
Running script MMA_Remove.sh...
Script exit code: 0
Script result: Disabling Daemon...
Usage: launchctl disable 
Cleaning...
Deleted //var/uits/userToRemove
Deleted //Library/Application Support/JAMF/Receipts/com.*company*.adminremove.plist.dmg
Deleted //Library/LaunchDaemons/com.*company*.adminremove.plist
tgottric removed from admin group
Running Recon...
Retrieving inventory preferences from https://*company server*...
Locating accounts...
Locating package receipts...
Searching path: /Applications
Locating software updates...
Locating plugins...
Locating printers...
Gathering application usage information...

Any guidance or suggestions on how to stop the 2nd policy after it runs once would be appreciated! :-)

@timgottrich I'd possibly look an creating an EA that looks for the "adminremove" LaunchDaemon.. & if there adds it to a smart group that runs the policy you have above.

Once the policy runs & Recon runs.. the EA's value should change & the macs then come out of the policies scope.

Are you sure the remove script is clearing the daemon? I also had trouble getting it to stop and clear itself, hence a lot of comments in my logs ;-)

@timgottrich you might also consider adding to the LaunchDaemon plist this key:

<key>LaunchOnlyOnce</key>

That should prevent the LaunchDaemon from running multiple times, until a reboot. If you are deleting the LaunchDaemon, then it will not be present at the next reboot, so you wouldn't have to worry about that.

was anybody able to modify the script to stop re-prompting?