Temporary Admin rights using Self Service

jcshofner
New Contributor III

I have traversed this site, looking for scripts or other means to provide users temporary admin rights. Most discussions provide two scripts, however, they do no show how to configure them from within Jamf JSS. One such example is from the github site JPDyson https://www.jamf.com/jamf-nation/discussions/6990/temporary-admin-using-self-service.
My question is, how are these scripts set up in Jamf JSS, so that they will work?

Or, if there is a better approach, that would be great to know...

41 REPLIES 41

markjohnson
New Contributor II

Hi,

I used the following to grant temporary admin rights via Self Service and it seemed to work in my testing:

https://github.com/jamfprofessionalservices/MakeMeAdminPy

jcshofner
New Contributor III

I have looked into that one. I have followed the directions, however, I am not familiar with EA-MakeMeAdmin_ComplianceCheck.py. If you can add the steps you did to get yours to work that would be great.

markjohnson
New Contributor II

From my understanding the EA just checks to make sure that the user doesn't create additional admin accounts with their elevated privileges. In my testing I just followed the Implementation section on the link I provided above, it basically walks you through how to set everything up in the JSS.

mlitton
New Contributor II

Mark - I too an following this process. Could you explain how you used the encrypted strings in the RemoveTempAdmin?

markjohnson
New Contributor II

Hello,
I left both the grantTempAdmin and removeTempAdmin scripts untouched in my testing and from what I can tell they worked. My test account was able to execute admin functions for the default 30 minutes, after that the account was set back to standard. I would suggest contacting the writer of these scripts for further questions as my expertise in python is limited.

ckappenman
New Contributor II

I guess I am missing something or the files have been moved to a new location. I went to the site https://github.com/jamf/MakeMeAdmin and I only see one .sh file there. It appears t be the script to grant Admin rights but I do not see the script to remove those admin rights. Any help would be greatly appreciated.

Rosko
Contributor II
Contributor II

@ckappenman I'll have to look at getting it on the new Jamf GitHub page. We did some consolidation of the Jamf GitHub pages and that one must have gotten lost in the shuffle, but I have it on my personal page as well.
https://github.com/kc9wwh/MakeMeAdminPy

ckappenman
New Contributor II

Rosko, Thanks for the reply. I found MakeMeAnAdmin (another JAMF product) later yesterday and it is working great. For those interested, here is the link: https://github.com/jamf/MakeMeAnAdmin

maurits
Contributor

I use the SAP open source app 'Privileges' for a similar purpose, but does not require jamf, and involves less scripting. I deploy a pkg with the lauchagent that demotes the local user to non-admin at each login. (see docs for ready-to-use plist) https://github.com/SAP/macOS-enterprise-privileges.

T_Armstrong
Contributor

FWIW, we looked at "Privileges" as well, but went with the "MakeMeAnAdmin" approach instead, as "Privileges" does not automatically downgrade the account without a fair amount of additional scripting. So far "MakeMeAdmin" is working nicely in our environment. Not as pretty, not as splashy, but effective.

danlaw777
Contributor III

this is the script i used, i did get it from github, but unfortunately i forgot the name of the author

!/bin/bash

###################################

This script will provide temporary admin

rights to a standard user right from self

service. First it will grab the username of

the logged in user, elevate them to admin

and then create a launch daemon that will

count down from 30 minutes and then create

and run a secondary script that will demote

the user back to a standard account. The

launch daemon will continue to count down

no matter how often the user logs out or

restarts their computer.

###################################
#################################

find the logged in user and let them know

#################################

currentUser=$(who | awk '/console/{print $1}')
echo $currentUser

osascript -e 'display dialog "You now have administrative rights for 30 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"Make me an admin, please"} default button 1'

#############################################

write a daemon that will let you remove the privilege

with another script and chmod/chown to make

sure it'll run, then load the daemon

#############################################

Create the plist

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

Add program argument to have it run the update script

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"

Set the run inverval to run every 7 days

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800

Set run at load

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes

Set ownership

sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist

Load the daemon

launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10

#############

make file for removal

#############

if [ ! -d /private/var/userToRemove ]; then mkdir /private/var/userToRemove echo $currentUser >> /private/var/userToRemove/user else echo $currentUser >> /private/var/userToRemove/user
fi

######################

give the user admin privileges

######################

/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin

############################

write a script for the launch daemon

to run to demote the user back and

then pull logs of what the user did.

############################

cat << 'EOF' > /Library/Application Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF

exit 0

ckappenman
New Contributor II

We have went with the "makemeanadmin" approach as well. It is easy to modify the script to have allowances of different time spans based upon the user need. I have our system set with an option for 30 minutes and 60 minutes and I assign the option to the user at the time they request need based upon the time frame I determine they will need to accomplish the task.

atomczynski
Valued Contributor

Another route is to create another account with admin right.

This way the computer user is not promoted to admin, and authenticates as such only when needed.

Here is how we are handling it now.

  1. End user contacts a support agent via Google hangouts.
  2. Support agent instructs user to install Google Chrome remote extension.
  3. Support user instructs user to run a policy in Self Service to create a local account with admin right (which is set not to allow FileVault login)
  4. Support agent instructs user to allow remote control, provides the end user with local admin credentials of the user created in Self Service
  5. Once support agent has remote control, they run a policy to remove the local admin user.

Create user policy scoped to staff devices, via Self Service. Allow to run 1x.
Remove user policy scoped to smart group operator has the local temporary admin.

Email notification when devices are added and removed from smart group.

To prevent further install / sharing the password from one end user to other, the policy is modified so a new password is provided at a scheduled interval.

With all of that, end users allow remote support to our techs and quickly loose ability of being an admin on the machine.

We considered the other tools such as the app that elevates their access for x number of minutes, our fear is that it would be misused.

While on our network support agents use ARD.

I know there are other solutions out there.
This we created and tested within an hour.

Each environment/culture is different.
If you would like me to elaborate more with screenshots, etc I can.

CommandShiftK
New Contributor III

The Make Me An Admin script works really well for my environment.

JoshRouthier
Contributor

We are going with the "MakeMeAnAdmin" script, though I was asked to also build out a mechanism in which the user would be required to enter the reason they are giving themselves temporary administrator rights.

I am using 3 different steps to accomplish this; 1) MakeMeAnAdmin policy with a custom trigger, 2) Self Service policy with a custom script which prompts the user for a reason (documents it in a file) and then triggers the MakeMeAnAdmin policy, and 3) an Extension Attribute which scrapes the "reason" file, and populates that information in the devices Extension Attribute section. Since there is not a way (that I am aware of) to notify the Jamf admin when a policy is run, this also allows you to create a Smart Group (w/ email notifications on group change) notifying you when a user has run this policy.

I have tested this process, and it does work as I intended. As I would definitely classify myself as a scripting noob, please excuse any glaring mistakes with the code below. Hopefully this may help someone out in a similar situation.

Script to prompt for reason

#!/bin/sh
# Display dialog asking the user for the reason why they need administrator rights
adminReason=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "You are about to be granted with temporary administrator rights. Please describe what you intend to do with your temporary admin rights." with title "Temporary Admin Rights" default answer "")
end tell
END)

# While loop to have the user provide an answer of at least so many characters long
while True ; do
[[ ${#adminReason} -ge 20 ]] && break
echo "Sorry that string isnt long enough."
adminReason=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "You did not provide a sufficient answer. As you are about to be granted with temporary administrator rights. Please describe what you intend to do with your temporary admin rights." with title "Temporary Admin Rights" default answer "")
end tell
END)
done

# Get Current user
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# Specify output file path
filepath="/Library/Application Support/companyName/Extension Attributes/"

# Get Date & Time
dt=`date '+%m-%d-%y_%H:%M:%S'`

# Check to see if the Users output filepath exists
if [[ -d ${filepath} ]]; then
    echo "Extension Attribute folder exists. Moving on."

else 
    echo "Extension Attribute folder does not exist. Creating it now"
    mkdir "$filepath"

fi

# Create Reason file
file="${filepath}AdminReason.txt"
echo "${dt}_${loggedInUser}_${adminReason}" >> "$file"

# Run the temporary admin policy
/usr/local/jamf/bin/jamf policy -event tempAdmin

# Notify the user they have been granted temporary admin rights
osascript -e 'display dialog "You now have administrative rights for 15 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"I Understand"} default button 1'

exit 0

Extension Attribute scraping the "reason" file

#!/bin/sh
outputFile="/Library/Application Support/companyName/Extension Attributes/AdminReason.txt"
fileContent=$( cat "$outputFile" )

if [[ -e "$outputFile" ]]; then
    echo "<result>$fileContent</result>"

else
    echo "<result>NotGrantedAdminRights</result>"

fi

I like this approach, but the 

 

While True

 

creates an endless loop of prompts if the user lets that display dialogue timeout.
I believe it's a minute or so before it times out.
The cancel button also does not work with the current setup.

Anyone with code savvy have a better approach for that input for admin request reasons?

pete_c
Contributor III

I have previously used the "Make me an Admin" approach, just wanted to say that part of the instruction to the end user needs to be to run the Self Service task before starting an installer or trying to authenticate a system preference etc. Admin rights will be interpreted as they existed previously if there's already a password dialog on screen.

I'd also recommend throwing a recon into the follow-up / "demote" action, to track whatever might have changed.

walt
Contributor III

does Jamf's MakeMeAnAdmin remove the admin rights of an existing admin user? Or what is the best approach for that? Most of our accounts are DEP created (501 admin) or manually created (501 admin) from setup assistant

merps
Contributor III

@walt Here is what we use

#!/bin/sh

logfile="/var/log/FixLocalAdmin.log"


log () {
        echo $1
        echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile
}


adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "local_admin" ] && [ "$user" != "management_user" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then log "Removed user $user from admin group"; fi
    else
        log "Admin user $user left alone"
    fi
done

walt
Contributor III

@merps thanks, i noticed it also removes our managed JSS account, is there a way to prevent that account from losing admin privileges in the script? for example the account is jssadmin.

Would i just append the

if

statement to:

if [ "$user" != "root" ] && [ "$user" != "local_admin" ] && [ "$user" != "management_user" ] && [ "$user" !="jssadmin" ]

merps
Contributor III

@walt Yes, definitely. I probably should have been more clear that local_admin is substitute for our additional local admin, and management_user is substitute for our managed JSS account. So you'd want to change management_user to jssadmin and local_admin to whatever (if anything) you add in the "create additional local account" pane.

walt
Contributor III

@merps no problem at all, i'm apparently not very good at reading scripts, this is extremely helpful though. Thank you!

BOBW
Contributor II

One thing to be aware of is the Users with admin rights are able to create other users and give those admin rights... I have a quick script which writes all existing admin accounts to a text file then when the Admin rights are removed or timed out another script is run to do a comparison to the original Admin users and move any new accounts back to standard accounts, then write these new accounts to an EA.

iseeetray
New Contributor II

this helps me close this same loophole

walt
Contributor III

@BOBW i'd be interested to test this out as well. it seems to depend on how Macs are enrolled, Jamf can remove additional accounts from within the console, albeit one by one.

Another question i have and i may just make a separate thread for this, but how could i restore admin privileges to users (not timed or restricted)?

I tried messing with this script: https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh by removing the timing lines but that seemed to immediately default the user back to standard. I do like the prompt it provides

BOBW
Contributor II

@walt OK, it's not pretty but it works..... Here is the first part where it notifies user using pashua, looks at an EA in Jamf for a time set by support. this is for an expiry if you want to be able to say you can only run this for the next 24 hours, creates a launch Daemon to run after a set amount of time plus 30 mins. Also needs someone to create the EA in Jamf to allow someone to put a date time in, but needs to be in a certain format to be read correctly.
We ended up creating an app for the Support staff to select a date which will use the API to write to the EA, or for Windows support to use Powershell app to do the same thing.
One of the things I have noted with this is the fact if someone removes network then the LaunchD will wait for another 30 minutes but as soon as the JSS is contactable it will run
We were thinking about just deleting the account people create but then someone might have research work in there.....

#!/bin/bash

### Created by David Coupe 2019
## feel free to improve and share, make sure you let me know through jamfNation with ID @bobw

#set variables here:
TimeAllowed=
log_location=

#log 
log_location="/var/log/makeadmin.log"
touch "/var/log/makeadmin.log"

ScriptLogging(){

    DATE=`date +%Y-%m-%d %H:%M:%S`
    LOG="$log_location"

    echo "$DATE" " $1" >> $LOG

}
ScriptLogging

## find your serial number
serial=$(ioreg -c "IOPlatformExpertDevice" | awk '/IOPlatformSerialNumber/ {print $4}' | tr -d ")
echo $serial  >> $LOG

## find your JAMF URL
jssurl=$(defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url)
echo $jssurl  >> $LOG

## get your computer ID from JAMF based on serial - replace ******** with your base64 encrypted passcode - due to some characters not being valid recommend this is not a variable
JSSComputerid=$(curl -H "Accept: text/xml" -sfk --header 'authorization: Basic *********' "${jssurl}JSSResource/computers/serialnumber/$serial/subset/general" | xmllint --xpath '//id/text()' - | awk -F "-" '{print $1}' )
echo "Computer ID = $JSSComputerid" >> $LOG
id="$JSSComputerid"

# Extension attribute which has the time set for expiry - this could be a AD attribute using LDAP
EAID=131
echo "EAID = $EAID" >> $LOG

#time allowed in seconds
TimeAllowed=1800
echo "time allowed = $TimeAllowed" >> $LOG

# get the device Extension attributes
xml=$(curl -H "Accept: text/xml" -sfk --header 'authorization: Basic *****' "${jssurl}JSSResource/computers/id/$id/subset/extension_attributes" )

# find the value of the EAAID which is set above
value=$(echo "$xml" | xpath "//*[id=131]/value/text()" 2>/dev/null )
echo "EA time = $value" >> $LOG

#convert value to epoch time
if [ $value ! = "" ]
then 
value2=$(date -j -f "%Y/%m/%d %H:%M:%S" "$value" "+%s")
echo "converted time = $value2" >> $LOG

#GET NOW Time
NOW=$(date +%s)
echo "now = $NOW" >> $LOG
fi

#compare times
if [[ $NOW < $value2 ]] || [[ $value2 = "" ]]
then
    echo "now is before EA - admin OK" >> $LOG

#get user
U="$(who | grep console | awk '{ print $1 }')"
echo "user is $U" >> $LOG

# set path for LauncDaemon
PPATH="/Library/LaunchDaemons"
echo "LaunchD path is $PPATH"  >> $LOG

# set launchD plist name
PLIST="edu.uon.adminremove.plist"
echo launchD plist name is  $PLIST >> $LOG

LOGDIR="/var/makeadminLD"
TIME=$(date "+Date:%m-%d-%Y TIME:%H:%M:%S")

#create the LD for the removal of admin rights
mkadminremoved() {
    local label="$PLIST"
    local string0="/usr/local/bin/jamf"
    local string1="policy"
    local string2="-event"
    local string3="adminremovev3"
    local sout="$LOGDIR/${PLIST%.plist}.out"
    local serr="$LOGDIR/${PLIST%.plist}.err"
plistbuddy() { /usr/libexec/PlistBuddy "$@"; }    
plistbuddy -c "add :Label string $label" 
                -c "add :ProgramArguments array" 
                -c "add :ProgramArguments:0 string $string0" 
                -c "add :ProgramArguments:1 string $string1" 
                -c "add :ProgramArguments:2 string $string2" 
                -c "add :ProgramArguments:3 string $string3" 
                -c "add :StandardOutPath string $sout" 
                -c "add :StandardErrorPath string $serr" 
                -c "add :StartInterval integer $TimeAllowed" 
                "$PPATH"/"$PLIST"
}

# Message to user they have admin rights for 30 min. 
#!/bin/bash

if [ ! -e /usr/local/Management/Images/shutterstock_1119128867.jpg ]
then
sudo /usr/local/bin/jamf policy -event image1
sleep 30
fi

if [ ! -e "/usr/local/Management/Images/logo4.png" ]
then
sudo /usr/local/bin/jamf policy -event logo4
sleep 30
fi

if [ ! -e "/usr/local/Management/Scripts/Pashua.app" ]
then
sudo /usr/local/bin/jamf policy -event pashuaforce
sleep 30
fi

# MYDIR="$( cd "$( /usr/local/bin/ "${BASH_SOURCE[0]}" )" && pwd )"
MYDIR="/usr/local/bin/"

# Include pashua.sh to be able to use the 2 functions defined in that file
source "$MYDIR/pashua.sh"

# Define what the dialog should be like
# Take a look at Pashua's Readme file for more info on the syntax

loggedInUserID=$( id -P $(stat -f%Su /dev/console) | awk -F '[:]' '{print $8}' | awk '{print $1}' )
# loggedInUser2=$(dscl . -read /Users/"$loggedInUserID" RealName | awk '{print $1}')

TIME=$(date "+Date:%m-%d-%Y TIME:%H:%M:%S")
timeplus30=$(date -j -v+1H)
conf="
# Set window title
*.title = University of *****

# Introductory text
txt.type = text
txt.fontsize = regular
txt.default = Hello ${loggedInUserID}.
txt.height = 200
txt.width = 300
txt.x = 100
txt.y = 180
# txt.tooltip = Restart Message

# Introductory text
txt3.type = text
txt3.fontsize = regular
txt3.default =You now have Administrator access to your computer.[return][return]Your escalated privileges finish at "$timeplus30".
txt3.height = 200
txt3.width = 425
txt3.x = 0
txt3.y = 75
# txt.tooltip = Restart Message

img1.type = image
img1.x = 10
img1.y = 170
img1.maxwidth = 20
img1.maxheight = 20

img1.path = "/usr/local/Management/Images/logo4.png"

# Introductory text2
txt2.type = text
txt2.default = All Administrator usage will be logged.
txt2.height = 100
txt2.width = 350
txt2.x = 0
txt2.y = 40




db.type = defaultbutton

"

if [ -d '/Volumes/Pashua/Pashua.app' ]
then
    # Looks like the Pashua disk image is mounted. Run from there.
    customLocation='/Volumes/Pashua'
else
    # Search for Pashua in the standard locations
    customLocation='/usr/local/Management/Scripts/'
fi

# Get the icon from the application bundle
locate_pashua "$customLocation"
bundlecontents=$(dirname $(dirname "$pashuapath"))
if [ -e "$bundlecontents/Resources/AppIcon@2.png" ]
then
    conf="$conf
          img.type = image
          img.x = 10
          img.y = 250
          img.maxwidth = 400
          img.tooltip = “image”
          img.path = /usr/local/Management/Images/shutterstock_1119128867.jpg"
fi

pashua_run "$conf" "$customLocation"

echo "Pashua created the following variables:"
# echo "  tb  = $tb"
# echo "  tf  = $tf"
# echo "  ob  = $ob"
# echo "  pop = $pop"
# echo "  rb  = $rb"
echo "  cb  = $cb"
# echo "  chk = $chk"
echo "  b   = $b"
echo "  db  = $db"
echo ""



# FUNCTION Run Create launchD service to call JSS policy to remove admin rights.
mkadminremoved
echo "created LD" >> $LOG


#set the permission on the file just made.
chown root:wheel "$PPATH"/"$PLIST"
chmod 644 "$PPATH"/"$PLIST"
echo "set perms on LD"  >> $LOG

# load the removal plist timer.
launchctl enable system/"$PLIST" "$PPATH"/"$PLIST"
launchctl bootstrap system "$PPATH"/"$PLIST"
echo "loaded the LD"  >> $LOG

# build log files in var/makeadminLD.
[[ ! -d "$LOGDIR" ]] && mkdir "$LOGDIR"
printf "%s
" "$TIME by $U" >> "$LOGDIR"/makeadmin.txt
printf "%s
" "$U" >> "$LOGDIR"/userToRemove.txt
echo "Added the user $U to $LOGDIR/makeadmin.txt for removal when time expires"  >> $LOG

# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a "$U" -t user admin
echo "$U moved to admin group"

#checkcurrent admin users and create txt file
if [ -e /usr/local/Management/Scripts/.beforeadminsb.txt ]
then
rm -rf /usr/local/Management/Scripts/.beforeadminsb.txt
fi
if [ -e /usr/local/Management/Scripts/.afteradminsb.txt ]
then
rm -rf /usr/local/Management/Scripts/.afteradminsb.txt
fi
echo "checked for afteradmins.txt and beforeadmins.txt and deleted if they exist"  >> $LOG


# list of users currently with admin rights $beforeadmin and removing accounts as required which need to stay admin - ensure you remove the accounts you wish to keep admin by adding below with grep -v **name**
if [ ! -e /usr/local/Management/Scripts ]
then
mkdir /usr/local/Management/Scripts
fi
dscacheutil -q group -a name admin | grep users > /usr/local/Management/Scripts/.beforeadmins.txt
beforeadmin=$(cat /usr/local/Management/Scripts/.beforeadmins.txt)
for i in $beforeadmin
do
echo $i | grep -v "users:" | grep -v "managementaccount" | grep -v "localadmin" | grep -v root > /usr/local/Management/Scripts/.beforeadminsb.txt
done
echo "list of users currently with admin rights $beforeadmin"  >> $LOG


else
    echo "now is after EA - no admin" >> $LOG
fi

echo "***************************************************" >> $LOG

exit 0

the next is the removal of the Admin rights, this is called with the LaunchAgent ffrom above using a custom trigger scoped to all users

#!/bin/bash

### Created by David Coupe 2019
## feel free to improve and share, make sure you let me know through jamfNation with ID @bobw

#log 
log_location="/var/log/makeadmin.log"

ScriptLogging(){

    DATE=`date +%Y-%m-%d %H:%M:%S`
    LOG="$log_location"

    echo "$DATE" " $1" >> $LOG
}
ScriptLogging
echo "***************************************************" >> $LOG
LOGDIR="/var/makeadminLD"
PPATH="/Library/LaunchDaemons"
PLIST="edu.uon.adminremove.plist"
if [[ -f /var/makeadminLD/userToRemove.txt ]]; then
U="$(cat /var/makeadminLD/userToRemove.txt)"

dscacheutil -q group -a name admin | grep users > /usr/local/Management/Scripts/.afteradmins.txt

afteradmins=$(cat /usr/local/Management/Scripts/.afteradmins.txt)
echo "after admin expiry Administrators: $afteradmins"  >> $LOG

for i in $afteradmins
do
echo $i | grep -v "users:" | grep -v "caspermanage" | grep -v root > /usr/local/Management/Scripts/.afteradminsb.txt
done

beforeadminsorted=$(cat /usr/local/Management/Scripts/.afteradminsb.txt)

for i in $beforeadminsorted
do
echo $i >> /var/makeadminLD/userToRemove.txt
done

U="$(cat /var/makeadminLD/userToRemove.txt)"

for USER in $U; do
        printf "%s
" "removing $USER from admin group"
        /usr/sbin/dseditgroup -o edit -d "$USER" -t user admin
        printf "%s
" "$USER has been removed from admin group"
        echo "$USER removed from admin group" >> $LOG
    done

else
printf "%s
" "going to unload"
    launchctl disable system/"$PLIST"
    launchctl bootout system/"$PLIST"
    printf "%s
" "Completed"
    rm -f /Library/LaunchDaemons/"$PLIST"
fi
echo "unloaded LD"  >> $LOG
rm -rf /var/makeadminLD/userToRemove.txt
# rm -rf "$LOGDIR"/userToRemove.txt
rm -rf /private/var/makeadminLD/userToRemove
echo "removed files" >> $LOG
echo "***************************************************" >> $LOG
exit 0

agrant
New Contributor III

We have this setup a slightly different way.

1) A policy > script to elevate current user to admin, available in self-service - This is scoped to a static group, 'admin users'. We manually add machines into this group when admin is needed. i.e for software installs etc.
2) A policy > script that removes all users from the admin group, except for our management account. This is scoped to all machines. Triggered at startup.

Only machines that are in the static group have the elevate to local admin script available in self-service. Admin resets back to standard user on reboot for all machines at startup.

Works well for us - We often have a ticket open when someone needs temporary admin (Software installs etc) so we simply add their machine to the static group and remove it once they're finished.

If anyone needs the scripts let me know & I'll dig them out.

AbeZ_Tt
New Contributor II

Do you have those 2 scripts by any chance?

MikeF
Contributor II

@agrant

That sounds like a good way to do this. I like that i can let my help desk add the user to the static group. Can you post your scripts on this
Thanks

Heavy_D
Contributor III

@agrant Man this sounds legit. If you could compose a step by step guide here that was be awesome, I am interested in testing this method out myself as well.

agrant
New Contributor III

@MikeF @JarvisUno

So the first script to elevate the current user:

#!/bin/sh

U=`who |grep console| awk '{print $1}'`

# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $U -t user admin

And the second script was from https://www.jamf.com/jamf-nation/discussions/21695/remove-local-admin-rights The actual script we used was:

#!/bin/sh

# This script removes all users except root and YOURADMINACCOUNTHERE from the admin group

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "YOURADMINACCOUNTHERE" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

Replacing YOURADMINACCOUNTHERE with the name of your admin / management account. Hope this helps.

So just those two Policies > Scripts really & its working fine for us. I can post some more details if needed just lemme know.

jttavares
New Contributor III

@agrant Thank you for this. If I need to add more accounts that need to stay admins would the following work? I am not all that good at scripting. Appreciate it.

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do if [ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNTHERE" ] && [ "$user" != "YOURADMINACCOUNTHERE" ] && [ "$user" != "YOURADMINACCOUNTHERE" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi
done

agrant
New Contributor III

Yeh it looks like it will work. Hands up though - I'm not a scripting wizard.

I'd test it locally on your Mac to make sure it behaves like you expect before you upload to JAMF and push to any clients etc. Just to make sure.

hannahnoble
New Contributor

@agrant Thanks for the scripts. We were able to run both successfully, however all prior restrictions set in the profile were all removed. For instance, I have several items in system preferences turned off for our students and those did not go back to being restricted. This is happening on the new M1 chip Macbook Airs, which I know have some more complicated security protocols. Any ideas??

bwoods
Valued Contributor

@hannahnoble I would suggest looking into CyberArk EPM if you want granular control over what permissions a standard users has. For instance, you can remove their admin permissions and grant them access to System Preferences.

user-vqkGggRrtd
New Contributor

Hello Everyone,

I am running into issue where I can run this script for users to have Temp Admin access for 15mins but it doesn't remove the access after 15mins and also I was reading somewhere in Jamf where it said if you restart the computer or log out, that will also help to remove the user from Temp Admin access. If you don't do anything, after that 15mins set or 30mins set, it doesn't remove it until you restart it or log off.

Does anyone know if this is because of script or do I have to do something different to get the user removed from Admin access after 15mins or 30mins?

This is script I used which is from Jamf agent: https://github.com/jamf/MakeMeAnAdmin

Thank You

damarioblueceng
New Contributor

is there a way to make myself a temporary admin for much longer than 30 minutes by changing the macOS date to, say, 2030.

In this case, the jamf is not connecting. 

Can someone advise?

 

Thanks 

use the script above and change the amount of time to what you want

not sure i want to mess with scripts that way. I was thinking of changing the date before/whilst the script is running and then change the date back. 

Any advice?