Temporary "almost admin"

jrb
New Contributor III

We've been looking into a way to allow users to have temporary permissions to add home printers, connect to wifi, etc. and I came across this useful post here:

https://www.jamf.com/jamf-nation/discussions/27206/allow-non-admin-users-to-add-printers-at-home

What would be the simplest way to modify the script to "expire" after say 24 hours?

Thanks!

4 REPLIES 4

Chris_Hafner
Valued Contributor II

Is there a reason why you want users to stop being able to add printers or connect to home WiFi>? Our students are never admins yet we've we allow them to add printers and connect to WiFi networks at their convenience. The thread you've mentioned gives you one method (The one that we use)... which is easily reversible if you really wanted to.

jrb
New Contributor III

Unfortunately the decision is out of my hands. Yes, the process is easily reversible, but if anyone has a suggestion how to make it time limited so it reverts on it's own, that's what I'm looking to achieve. Again, not the best route... but also not my decision.

Chris_Hafner
Valued Contributor II

Fair enough (That's how it goes!). I can think of a few ways to accomplish this, depending on your specific circumstance. Here's a script that I found from @darklordbrock from this post:
https://www.jamf.com/jamf-nation/discussions/22077/temporary-admin-rights-via-self-service

The script can be found here:
https://github.com/darklordbrock/scripts/blob/master/UW-Milwaukee/30minAdminJss.sh

Basically, @darklordbrock uses a LaunchD process to remove admin rights after a specified period of time.

Here are some other threads with solutions:
https://www.jamf.com/jamf-nation/discussions/26480/temporary-admin-rights-via-self-service-policy
https://www.jamf.com/jamf-nation/discussions/12810/enable-admin-priviges-in-self-service

older:
https://www.jamf.com/jamf-nation/discussions/6990/temporary-admin-using-self-service

Chris_Hafner
Valued Contributor II

Just in case I don't make sense with the previous post, I put that up to show how to automatically run a process based on a timeframe. You're not looking to give full admin rights so you'll only be changing membership to the lpadmin group and access to various system preference panes. This will take some testing of course.