Jamf Nation Community

A colleague turned me on to @Andrina's solution to temporarily elevate your rights for N minutes, definitely worth a look.

We were actually working on a slightly different solution. A method to temporarily elevate admin rights within Self Service. So any tech in an appropriate LDAP group can see all Self Service policies. Assuming of course that (1) computer meets requirements - OS version, any dependencies, etc., and (2) is not already in desired state - Photoshop 16 not visible if you have Photoshop 17 installed.

So we borrowed some of @Andrina's ideas, and reached out to thank her. Hoping to sanitize/post what we came up with at some point, when we come up for air.

hi @THQIT ,

See my post here Password required to give Temp Admin

I used the script by darklordbrock 30min admin and use a verification method.

Basically, i have 2 scripts:

One is for user to run from Self Service that will give them 5 digit random numbers, then they have to call the Service Desk to get the password by using the 5 digit random numbers before the policy can run to give them Admin access.

Once the right password is typed in, they will have admin access for 15 minutes before a Launch Daemon kicks in to run a script to remove their account from administrator.

This way you only give out temp admin to users who really need it.

I'm looking into this too, but the accounts will grant the admin, but never remove them. I tried both @Andrina's and darklordbrock's ... I think it might be an issue in the launchD plist because it looks all garbled in text edit...

Old thread, but I felt it is pertinent to post a response. Just as jwojda has stated above, granting admin rights is one thing, but promptly removing access is important. The best practice approach is to have a workflow, wherein users will have to raise a request for rights >> admin will grant time-limited access (say 30 minutes) >> access will be automatically terminated at the end of the usage period. Windows Privilege Management software could come in handy to achieve this. Take a look at Securden ( https://www.securden.com/), which helps achieve this.

How about this?

The SAP app is pretty slick, but it appears to give all control to the user.

We created a Self Service policy that grants admin to the user, installs a launchdaemon that will remove them from the admin group after a specific duration, and has an automatic JSS-driven cleanup policy that runs in case the launchdaemon fails for any reason. It's not going to be 100% perfect in every use case, but we rolled this out prior to removing admin rights from every user who didn't have a permanent exception in place. The end goal was mitigation since too many users had admin rights.

@alexjdale Can you share the policy/script?

@alexjdale I'd like to see this policy/script as well if you dont mind sharing.

The MAC at SAP team released a new tool they utilize for temp admin accounts that may be useful in your environments
https://github.com/SAP/macOS-enterprise-privileges

@alexjdale Bump.

Below is what we used to grand user 24 hours temp admin. Not my script, forgot where i found it.

You can change the time the below to 600 second (10 Minute) or however long it needs.

#Set temp admin timer
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 86400

#!/bin/bash

###############################################
# This script will provide temporary admin    #
# rights to a standard user right from self   #
# service. First it will grab the username of #
# the logged in user, elevate them to admin   #
# and then create a launch daemon that will   #
# count down from 24 Hours and then create  #
# and run a secondary script that will demote #
# the user back to a standard account. The    #
# launch daemon will continue to count down   #
# no matter how often the user logs out or    #
# restarts their computer.                    #
###############################################

#############################################
# find the logged in user and let them know #
#############################################

currentUser=$(who | awk '/console/{print $1}')
echo $currentUser

osascript -e 'display dialog "You now have administrative rights for 24 Hours. DO NOT ABUSE THIS PRIVILEGE..." buttons {"Agree"} default button 1'

#########################################################
# write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make           #
# sure it'll run, then load the daemon                 #
#########################################################

#Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

#Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"

#Set temp admin timer
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 86400

#Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes

#Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist

#Load the daemon 
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10

#########################
# make file for removal #
#########################

if [ ! -d /private/var/userToRemove ]; then
    mkdir /private/var/userToRemove
    echo $currentUser >> /private/var/userToRemove/user
    else
        echo $currentUser >> /private/var/userToRemove/user
fi

##################################
# give the user admin privileges #
##################################

/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin

########################################
# write a script for the launch daemon #
# to run to demote the user back and   #
# then pull logs of what the user did. #
########################################

cat << 'EOF' > /Library/Application Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
    userToRemove=$(cat /private/var/userToRemove/user)
    echo "Removing $userToRemove's admin privileges"
    /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
    rm -f /private/var/userToRemove/user
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
    rm /Library/LaunchDaemons/removeAdmin.plist
    log collect --last 1440m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF

exit 0

I do believe you got that from the jamf github

@bmee I'm running into issues where after the Admin rights are granted they are not removed after the set time. I'm not sure what is going wrong. Any ideas? Have you seen this at all?

UPDATE: I found I had to adjust the script by adding "sudo" to the following lines:

sudo /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
sudo rm -f /private/var/userToRemove/user
sudo launchctl unload /Library/LaunchDaemons/removeAdmin.plist
sudo rm /Library/LaunchDaemons/removeAdmin.plist
sudo log collect --last 1440m --output /private/var/userToRemove/$userToRemove.logarchive

However, I couldn't find a log file that lists what changes were done.