Help

Users being demoted when updating to 12.1

macaojeta
New Contributor

Posted on ‎01-26-2022 01:46 AM

Jamf support has been nothing but useless the last week regarding the issue that all users who update from 12.0.x to 12.1 are being demoted from Local Admin to Standard User.

Anyone any clue why this is and how to prevent it?

Nothing has changed on our pre-enrollment side. Once we wipe a demoted device and re-enroll it the user is local admin again, but now on 12.1

VidMate Mobdro
0 Kudos
6 REPLIES 6

AVmcclint
Honored Contributor

Posted on ‎01-26-2022 04:11 AM

I've seen this happen even with upgrading to Big Sur. I don't think it has anything to do with Jamf though. I think under certain (unknown) conditions, something in the upgrade goes wrong and the admin group is actually deleted from the computer. I tried running a script in Self Service that is supposed to promote a user account to admin, but the error that came back basically indicated there was no admin group. I verified this by using dscl and exploring the directory structure and sure enough, the admin group was missing. With the admin group gone, that meant every admin user account was demoted and there was no way to sudo any commands without the root account being active. We also ended up erasing and reinstalling the OS and re-enrolling in Jamf.  I've read some others complain of the exact same thing in Apple's discussion boards and they are just regular home users without any MDM. I imagine there may be ways of re-adding the admin group via Recovery Mode, but we didn't have the time or patience to dig that deep into it.  You say that this is happening to all the Macs you've upgraded or do you just mean all the users on a single Mac? If it's happening to all the users on a single Mac, that fits the theory of the admin group being deleted and it could be "just one of those things" that happens on rare occasion. If it is happening to EVERY computer that you upgrade, then there could be something unique to your setup that is triggering this to happen.

steve_summers
Contributor III

Posted on ‎01-26-2022 12:45 PM

I started seeing this in my org when Big Sur 11.5 dropped....and I thought I was alone in this.  Luckily we were able to create a policy in self service to promote folks BACK to being Admins.  

Interesting details you found @AVmcclint , I didn't stop long enough to dig that far down.  We see it occasionally, after an OS update is released.  Interestingly enough, I am on the Beta of Monterey, 12.2 and it happened when one of the beta releases got installed.  And I didn't file feedback about it.  (Doh!)

0 Kudos

AVmcclint
Honored Contributor

Posted on ‎01-26-2022 12:50 PM

How did you manage to promote people back to admins? 

0 Kudos

steve_summers
Contributor III
In response to AVmcclint

Posted on ‎01-26-2022 12:54 PM

I opened a ticket with Jamf Support when it happened...and they gave me a one-liner and then I turned it into a script I put in Self Service:

#!/bin/bash

userName=$(/usr/bin/stat -f%Su /dev/console)
/usr/sbin/dseditgroup -o edit -a $userName admin

That does the trick MOST of the time...the other times, it's "wipe-and-reload"...

0 Kudos

AVmcclint
Honored Contributor
In response to steve_summers

Posted on ‎01-26-2022 02:18 PM

That’s pretty much the command we tried, but found the admin group was gone. Maybe your issue had a different cause. Maybe your admin group was intact after all… only the membership was affected. 

0 Kudos

steve_summers
Contributor III
In response to AVmcclint

Posted on ‎01-26-2022 04:29 PM

Yeah, it must have been. That stinks. 😕--


=============
Steve Summers
0 Kudos