Posted on 05-17-2023 12:33 PM
We have implemented a setup of JAMF Pro with Jamf connect into our environment. We have a mix of standard and admin users, and then we have a process to do admin items as needed.
One area is our Network items, standard users cant troubleshoot, forget networks, etc.
This is obviously a massive issue, and being unable to connect to on travel or troubleshoot to get things moved along to the network, is creating massive productive gaps.
From what I see, Apple really locks down some of this, but it makes no sense why its so locked down.
Any work around? We really need ALL users, to be able to control their network settings. ESP, when they travel for company events.
Thanks,
Posted on 05-18-2023 04:10 AM
I noticed this too, still looking myself
Posted on 05-18-2023 10:16 AM
Why not create a temporary admin policy in Self Service? I have used this for the last several years.
https://github.com/jamf/MakeMeAnAdmin
There are a lot of ways to implement this. You can have it on all the time and only allow it to be ran once a day or you can scope it to a group of computers and add the computers to the group to allow the users to use the policy. There are more ways to do this. These are just two methods.
Posted on 05-18-2023 10:26 AM
I actually spent a lot of time looking at this and running into issues on different Operating systems... it was one we were ultimately going to possibly go with. In the end we went with Admin by Request, which works until they arent connected to the internet and it starts to be a mess. So we have clear ways to give temporary admin access, BUT that is NOT what management and security want. They want an exception for Networking as it shouldnt be blocked in the first place.
Thanks!
Posted on 05-18-2023 11:30 AM
The script I linked above installs a launchdaemon that demotes the user back to standard so it doesn't matter if the computer is connected to the internet or not.
Posted on 05-18-2023 11:34 AM
Yep. Again, I went through that entire process. The point is, for the users who become standard, they dont want them to have quick and simple admin access (otherwise they would just give it.), even with the logging feature. I was at the point of ready to deploy this above. But then Admin by Request took it over.
They want to see if there is a way to make an exception for a standard user without giving admin access.
Thanks!
Posted on 05-22-2023 01:41 PM
Deploy a policy with a script attached to it that modifies the authorizationdb and gives standard users access to the networking pane/settings, printers, etc. See here for one of many references on the topic.
It's hacky, but it's been done for ages by many Mac admins including myself.
Posted on 05-21-2023 11:04 PM
Hi, there is a way but very expensive.
I try Cyberark endpoint privilege manager and Delinea privilege manager. That products give this option.
Admin by Request still not perfect for macos.
I look for cheaper solution too.
Posted on 04-30-2024 05:27 AM
Looks like someone was able to work with Jamf support and get a script that works for Ventura and above: https://community.jamf.com/t5/jamf-pro/allow-standard-user-to-remove-wi-fi-networks-with-prompt/m-p/...