I have traversed this site, looking for scripts or other means to provide users temporary admin rights. Most discussions provide two scripts, however, they do no show how to configure them from within Jamf JSS. One such example is from the github site JPDyson https://www.jamf.com/jamf-nation/discussions/6990/temporary-admin-using-self-service.
My question is, how are these scripts set up in Jamf JSS, so that they will work?
Or, if there is a better approach, that would be great to know...
Hi,
I used the following to grant temporary admin rights via Self Service and it seemed to work in my testing:
https://github.com/jamfprofessionalservices/MakeMeAdminPy
I have looked into that one. I have followed the directions, however, I am not familiar with EA-MakeMeAdmin_ComplianceCheck.py. If you can add the steps you did to get yours to work that would be great.
From my understanding the EA just checks to make sure that the user doesn't create additional admin accounts with their elevated privileges. In my testing I just followed the Implementation section on the link I provided above, it basically walks you through how to set everything up in the JSS.
Mark - I too an following this process. Could you explain how you used the encrypted strings in the RemoveTempAdmin?
Hello,
I left both the grantTempAdmin and removeTempAdmin scripts untouched in my testing and from what I can tell they worked. My test account was able to execute admin functions for the default 30 minutes, after that the account was set back to standard. I would suggest contacting the writer of these scripts for further questions as my expertise in python is limited.
I guess I am missing something or the files have been moved to a new location. I went to the site https://github.com/jamf/MakeMeAdmin and I only see one .sh file there. It appears t be the script to grant Admin rights but I do not see the script to remove those admin rights. Any help would be greatly appreciated.
@ckappenman I'll have to look at getting it on the new Jamf GitHub page. We did some consolidation of the Jamf GitHub pages and that one must have gotten lost in the shuffle, but I have it on my personal page as well.
https://github.com/kc9wwh/MakeMeAdminPy
Rosko, Thanks for the reply. I found MakeMeAnAdmin (another JAMF product) later yesterday and it is working great. For those interested, here is the link: https://github.com/jamf/MakeMeAnAdmin
I use the SAP open source app 'Privileges' for a similar purpose, but does not require jamf, and involves less scripting. I deploy a pkg with the lauchagent that demotes the local user to non-admin at each login. (see docs for ready-to-use plist) https://github.com/SAP/macOS-enterprise-privileges.
FWIW, we looked at "Privileges" as well, but went with the "MakeMeAnAdmin" approach instead, as "Privileges" does not automatically downgrade the account without a fair amount of additional scripting. So far "MakeMeAdmin" is working nicely in our environment. Not as pretty, not as splashy, but effective.
this is the script i used, i did get it from github, but unfortunately i forgot the name of the author
currentUser=$(who | awk '/console/{print $1}')
echo $currentUser
osascript -e 'display dialog "You now have administrative rights for 30 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"Make me an admin, please"} default button 1'
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10
if [ ! -d /private/var/userToRemove ]; then
mkdir /private/var/userToRemove
echo $currentUser >> /private/var/userToRemove/user
else
echo $currentUser >> /private/var/userToRemove/user
fi
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
cat << 'EOF' > /Library/Application Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
userToRemove=$(cat /private/var/userToRemove/user)
echo "Removing $userToRemove's admin privileges"
/usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
rm -f /private/var/userToRemove/user
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
rm /Library/LaunchDaemons/removeAdmin.plist
log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF
exit 0
We have went with the "makemeanadmin" approach as well. It is easy to modify the script to have allowances of different time spans based upon the user need. I have our system set with an option for 30 minutes and 60 minutes and I assign the option to the user at the time they request need based upon the time frame I determine they will need to accomplish the task.
Another route is to create another account with admin right.
This way the computer user is not promoted to admin, and authenticates as such only when needed.
Here is how we are handling it now.
Create user policy scoped to staff devices, via Self Service. Allow to run 1x.
Remove user policy scoped to smart group operator has the local temporary admin.
Email notification when devices are added and removed from smart group.
To prevent further install / sharing the password from one end user to other, the policy is modified so a new password is provided at a scheduled interval.
With all of that, end users allow remote support to our techs and quickly loose ability of being an admin on the machine.
We considered the other tools such as the app that elevates their access for x number of minutes, our fear is that it would be misused.
While on our network support agents use ARD.
I know there are other solutions out there.
This we created and tested within an hour.
Each environment/culture is different.
If you would like me to elaborate more with screenshots, etc I can.
The Make Me An Admin script works really well for my environment.
We are going with the "MakeMeAnAdmin" script, though I was asked to also build out a mechanism in which the user would be required to enter the reason they are giving themselves temporary administrator rights.
I am using 3 different steps to accomplish this; 1) MakeMeAnAdmin policy with a custom trigger, 2) Self Service policy with a custom script which prompts the user for a reason (documents it in a file) and then triggers the MakeMeAnAdmin policy, and 3) an Extension Attribute which scrapes the "reason" file, and populates that information in the devices Extension Attribute section. Since there is not a way (that I am aware of) to notify the Jamf admin when a policy is run, this also allows you to create a Smart Group (w/ email notifications on group change) notifying you when a user has run this policy.
I have tested this process, and it does work as I intended. As I would definitely classify myself as a scripting noob, please excuse any glaring mistakes with the code below. Hopefully this may help someone out in a similar situation.
Script to prompt for reason
#!/bin/sh
# Display dialog asking the user for the reason why they need administrator rights
adminReason=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "You are about to be granted with temporary administrator rights. Please describe what you intend to do with your temporary admin rights." with title "Temporary Admin Rights" default answer "")
end tell
END)
# While loop to have the user provide an answer of at least so many characters long
while True ; do
[[ ${#adminReason} -ge 20 ]] && break
echo "Sorry that string isnt long enough."
adminReason=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "You did not provide a sufficient answer. As you are about to be granted with temporary administrator rights. Please describe what you intend to do with your temporary admin rights." with title "Temporary Admin Rights" default answer "")
end tell
END)
done
# Get Current user
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
# Specify output file path
filepath="/Library/Application Support/companyName/Extension Attributes/"
# Get Date & Time
dt=`date '+%m-%d-%y_%H:%M:%S'`
# Check to see if the Users output filepath exists
if [[ -d ${filepath} ]]; then
echo "Extension Attribute folder exists. Moving on."
else
echo "Extension Attribute folder does not exist. Creating it now"
mkdir "$filepath"
fi
# Create Reason file
file="${filepath}AdminReason.txt"
echo "${dt}_${loggedInUser}_${adminReason}" >> "$file"
# Run the temporary admin policy
/usr/local/jamf/bin/jamf policy -event tempAdmin
# Notify the user they have been granted temporary admin rights
osascript -e 'display dialog "You now have administrative rights for 15 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"I Understand"} default button 1'
exit 0Extension Attribute scraping the "reason" file
#!/bin/sh
outputFile="/Library/Application Support/companyName/Extension Attributes/AdminReason.txt"
fileContent=$( cat "$outputFile" )
if [[ -e "$outputFile" ]]; then
echo "<result>$fileContent</result>"
else
echo "<result>NotGrantedAdminRights</result>"
fiI have previously used the "Make me an Admin" approach, just wanted to say that part of the instruction to the end user needs to be to run the Self Service task before starting an installer or trying to authenticate a system preference etc. Admin rights will be interpreted as they existed previously if there's already a password dialog on screen.
I'd also recommend throwing a recon into the follow-up / "demote" action, to track whatever might have changed.
does Jamf's MakeMeAnAdmin remove the admin rights of an existing admin user? Or what is the best approach for that? Most of our accounts are DEP created (501 admin) or manually created (501 admin) from setup assistant
@walt Here is what we use
#!/bin/sh
logfile="/var/log/FixLocalAdmin.log"
log () {
echo $1
echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile
}
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "local_admin" ] && [ "$user" != "management_user" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then log "Removed user $user from admin group"; fi
else
log "Admin user $user left alone"
fi
done@merps thanks, i noticed it also removes our managed JSS account, is there a way to prevent that account from losing admin privileges in the script? for example the account is jssadmin.
Would i just append the
ifstatement to:
if [ "$user" != "root" ] && [ "$user" != "local_admin" ] && [ "$user" != "management_user" ] && [ "$user" !="jssadmin" ]@walt Yes, definitely. I probably should have been more clear that local_admin is substitute for our additional local admin, and management_user is substitute for our managed JSS account. So you'd want to change management_user to jssadmin and local_admin to whatever (if anything) you add in the "create additional local account" pane.
@merps no problem at all, i'm apparently not very good at reading scripts, this is extremely helpful though. Thank you!
One thing to be aware of is the Users with admin rights are able to create other users and give those admin rights...
I have a quick script which writes all existing admin accounts to a text file then when the Admin rights are removed or timed out another script is run to do a comparison to the original Admin users and move any new accounts back to standard accounts, then write these new accounts to an EA.
@BOBW i'd be interested to test this out as well. it seems to depend on how Macs are enrolled, Jamf can remove additional accounts from within the console, albeit one by one.
Another question i have and i may just make a separate thread for this, but how could i restore admin privileges to users (not timed or restricted)?
I tried messing with this script: https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh by removing the timing lines but that seemed to immediately default the user back to standard. I do like the prompt it provides
@walt
OK, it's not pretty but it works.....
Here is the first part where it notifies user using pashua, looks at an EA in Jamf for a time set by support. this is for an expiry if you want to be able to say you can only run this for the next 24 hours, creates a launch Daemon to run after a set amount of time plus 30 mins. Also needs someone to create the EA in Jamf to allow someone to put a date time in, but needs to be in a certain format to be read correctly.
We ended up creating an app for the Support staff to select a date which will use the API to write to the EA, or for Windows support to use Powershell app to do the same thing.
One of the things I have noted with this is the fact if someone removes network then the LaunchD will wait for another 30 minutes but as soon as the JSS is contactable it will run
We were thinking about just deleting the account people create but then someone might have research work in there.....
#!/bin/bash
### Created by David Coupe 2019
## feel free to improve and share, make sure you let me know through jamfNation with ID @bobw
#set variables here:
TimeAllowed=
log_location=
#log
log_location="/var/log/makeadmin.log"
touch "/var/log/makeadmin.log"
ScriptLogging(){
DATE=`date +%Y-%m-%d %H:%M:%S`
LOG="$log_location"
echo "$DATE" " $1" >> $LOG
}
ScriptLogging
## find your serial number
serial=$(ioreg -c "IOPlatformExpertDevice" | awk '/IOPlatformSerialNumber/ {print $4}' | tr -d ")
echo $serial >> $LOG
## find your JAMF URL
jssurl=$(defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url)
echo $jssurl >> $LOG
## get your computer ID from JAMF based on serial - replace ******** with your base64 encrypted passcode - due to some characters not being valid recommend this is not a variable
JSSComputerid=$(curl -H "Accept: text/xml" -sfk --header 'authorization: Basic *********' "${jssurl}JSSResource/computers/serialnumber/$serial/subset/general" | xmllint --xpath '//id/text()' - | awk -F "-" '{print $1}' )
echo "Computer ID = $JSSComputerid" >> $LOG
id="$JSSComputerid"
# Extension attribute which has the time set for expiry - this could be a AD attribute using LDAP
EAID=131
echo "EAID = $EAID" >> $LOG
#time allowed in seconds
TimeAllowed=1800
echo "time allowed = $TimeAllowed" >> $LOG
# get the device Extension attributes
xml=$(curl -H "Accept: text/xml" -sfk --header 'authorization: Basic *****' "${jssurl}JSSResource/computers/id/$id/subset/extension_attributes" )
# find the value of the EAAID which is set above
value=$(echo "$xml" | xpath "//*[id=131]/value/text()" 2>/dev/null )
echo "EA time = $value" >> $LOG
#convert value to epoch time
if [ $value ! = "" ]
then
value2=$(date -j -f "%Y/%m/%d %H:%M:%S" "$value" "+%s")
echo "converted time = $value2" >> $LOG
#GET NOW Time
NOW=$(date +%s)
echo "now = $NOW" >> $LOG
fi
#compare times
if [[ $NOW < $value2 ]] || [[ $value2 = "" ]]
then
echo "now is before EA - admin OK" >> $LOG
#get user
U="$(who | grep console | awk '{ print $1 }')"
echo "user is $U" >> $LOG
# set path for LauncDaemon
PPATH="/Library/LaunchDaemons"
echo "LaunchD path is $PPATH" >> $LOG
# set launchD plist name
PLIST="edu.uon.adminremove.plist"
echo launchD plist name is $PLIST >> $LOG
LOGDIR="/var/makeadminLD"
TIME=$(date "+Date:%m-%d-%Y TIME:%H:%M:%S")
#create the LD for the removal of admin rights
mkadminremoved() {
local label="$PLIST"
local string0="/usr/local/bin/jamf"
local string1="policy"
local string2="-event"
local string3="adminremovev3"
local sout="$LOGDIR/${PLIST%.plist}.out"
local serr="$LOGDIR/${PLIST%.plist}.err"
plistbuddy() { /usr/libexec/PlistBuddy "$@"; }
plistbuddy -c "add :Label string $label"
-c "add :ProgramArguments array"
-c "add :ProgramArguments:0 string $string0"
-c "add :ProgramArguments:1 string $string1"
-c "add :ProgramArguments:2 string $string2"
-c "add :ProgramArguments:3 string $string3"
-c "add :StandardOutPath string $sout"
-c "add :StandardErrorPath string $serr"
-c "add :StartInterval integer $TimeAllowed"
"$PPATH"/"$PLIST"
}
# Message to user they have admin rights for 30 min.
#!/bin/bash
if [ ! -e /usr/local/Management/Images/shutterstock_1119128867.jpg ]
then
sudo /usr/local/bin/jamf policy -event image1
sleep 30
fi
if [ ! -e "/usr/local/Management/Images/logo4.png" ]
then
sudo /usr/local/bin/jamf policy -event logo4
sleep 30
fi
if [ ! -e "/usr/local/Management/Scripts/Pashua.app" ]
then
sudo /usr/local/bin/jamf policy -event pashuaforce
sleep 30
fi
# MYDIR="$( cd "$( /usr/local/bin/ "${BASH_SOURCE[0]}" )" && pwd )"
MYDIR="/usr/local/bin/"
# Include pashua.sh to be able to use the 2 functions defined in that file
source "$MYDIR/pashua.sh"
# Define what the dialog should be like
# Take a look at Pashua's Readme file for more info on the syntax
loggedInUserID=$( id -P $(stat -f%Su /dev/console) | awk -F '[:]' '{print $8}' | awk '{print $1}' )
# loggedInUser2=$(dscl . -read /Users/"$loggedInUserID" RealName | awk '{print $1}')
TIME=$(date "+Date:%m-%d-%Y TIME:%H:%M:%S")
timeplus30=$(date -j -v+1H)
conf="
# Set window title
*.title = University of *****
# Introductory text
txt.type = text
txt.fontsize = regular
txt.default = Hello ${loggedInUserID}.
txt.height = 200
txt.width = 300
txt.x = 100
txt.y = 180
# txt.tooltip = Restart Message
# Introductory text
txt3.type = text
txt3.fontsize = regular
txt3.default =You now have Administrator access to your computer.[return][return]Your escalated privileges finish at "$timeplus30".
txt3.height = 200
txt3.width = 425
txt3.x = 0
txt3.y = 75
# txt.tooltip = Restart Message
img1.type = image
img1.x = 10
img1.y = 170
img1.maxwidth = 20
img1.maxheight = 20
img1.path = "/usr/local/Management/Images/logo4.png"
# Introductory text2
txt2.type = text
txt2.default = All Administrator usage will be logged.
txt2.height = 100
txt2.width = 350
txt2.x = 0
txt2.y = 40
db.type = defaultbutton
"
if [ -d '/Volumes/Pashua/Pashua.app' ]
then
# Looks like the Pashua disk image is mounted. Run from there.
customLocation='/Volumes/Pashua'
else
# Search for Pashua in the standard locations
customLocation='/usr/local/Management/Scripts/'
fi
# Get the icon from the application bundle
locate_pashua "$customLocation"
bundlecontents=$(dirname $(dirname "$pashuapath"))
if [ -e "$bundlecontents/Resources/AppIcon@2.png" ]
then
conf="$conf
img.type = image
img.x = 10
img.y = 250
img.maxwidth = 400
img.tooltip = “image”
img.path = /usr/local/Management/Images/shutterstock_1119128867.jpg"
fi
pashua_run "$conf" "$customLocation"
echo "Pashua created the following variables:"
# echo " tb = $tb"
# echo " tf = $tf"
# echo " ob = $ob"
# echo " pop = $pop"
# echo " rb = $rb"
echo " cb = $cb"
# echo " chk = $chk"
echo " b = $b"
echo " db = $db"
echo ""
# FUNCTION Run Create launchD service to call JSS policy to remove admin rights.
mkadminremoved
echo "created LD" >> $LOG
#set the permission on the file just made.
chown root:wheel "$PPATH"/"$PLIST"
chmod 644 "$PPATH"/"$PLIST"
echo "set perms on LD" >> $LOG
# load the removal plist timer.
launchctl enable system/"$PLIST" "$PPATH"/"$PLIST"
launchctl bootstrap system "$PPATH"/"$PLIST"
echo "loaded the LD" >> $LOG
# build log files in var/makeadminLD.
/ ! -d "$LOGDIR" ]] && mkdir "$LOGDIR"
printf "%s
" "$TIME by $U" >> "$LOGDIR"/makeadmin.txt
printf "%s
" "$U" >> "$LOGDIR"/userToRemove.txt
echo "Added the user $U to $LOGDIR/makeadmin.txt for removal when time expires" >> $LOG
# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a "$U" -t user admin
echo "$U moved to admin group"
#checkcurrent admin users and create txt file
if
-e /usr/local/Management/Scripts/.beforeadminsb.txt ]
then
rm -rf /usr/local/Management/Scripts/.beforeadminsb.txt
fi
if
-e /usr/local/Management/Scripts/.afteradminsb.txt ]
then
rm -rf /usr/local/Management/Scripts/.afteradminsb.txt
fi
echo "checked for afteradmins.txt and beforeadmins.txt and deleted if they exist" >> $LOG
# list of users currently with admin rights $beforeadmin and removing accounts as required which need to stay admin - ensure you remove the accounts you wish to keep admin by adding below with grep -v **name**
if
! -e /usr/local/Management/Scripts ]
then
mkdir /usr/local/Management/Scripts
fi
dscacheutil -q group -a name admin | grep users > /usr/local/Management/Scripts/.beforeadmins.txt
beforeadmin=$(cat /usr/local/Management/Scripts/.beforeadmins.txt)
for i in $beforeadmin
do
echo $i | grep -v "users:" | grep -v "managementaccount" | grep -v "localadmin" | grep -v root > /usr/local/Management/Scripts/.beforeadminsb.txt
done
echo "list of users currently with admin rights $beforeadmin" >> $LOG
else
echo "now is after EA - no admin" >> $LOG
fi
echo "***************************************************" >> $LOG
exit 0the next is the removal of the Admin rights, this is called with the LaunchAgent ffrom above using a custom trigger scoped to all users
#!/bin/bash
### Created by David Coupe 2019
## feel free to improve and share, make sure you let me know through jamfNation with ID @bobw
#log
log_location="/var/log/makeadmin.log"
ScriptLogging(){
DATE=`date +%Y-%m-%d %H:%M:%S`
LOG="$log_location"
echo "$DATE" " $1" >> $LOG
}
ScriptLogging
echo "***************************************************" >> $LOG
LOGDIR="/var/makeadminLD"
PPATH="/Library/LaunchDaemons"
PLIST="edu.uon.adminremove.plist"
if
i -f /var/makeadminLD/userToRemove.txt ]]; then
U="$(cat /var/makeadminLD/userToRemove.txt)"
dscacheutil -q group -a name admin | grep users > /usr/local/Management/Scripts/.afteradmins.txt
afteradmins=$(cat /usr/local/Management/Scripts/.afteradmins.txt)
echo "after admin expiry Administrators: $afteradmins" >> $LOG
for i in $afteradmins
do
echo $i | grep -v "users:" | grep -v "caspermanage" | grep -v root > /usr/local/Management/Scripts/.afteradminsb.txt
done
beforeadminsorted=$(cat /usr/local/Management/Scripts/.afteradminsb.txt)
for i in $beforeadminsorted
do
echo $i >> /var/makeadminLD/userToRemove.txt
done
U="$(cat /var/makeadminLD/userToRemove.txt)"
for USER in $U; do
printf "%s
" "removing $USER from admin group"
/usr/sbin/dseditgroup -o edit -d "$USER" -t user admin
printf "%s
" "$USER has been removed from admin group"
echo "$USER removed from admin group" >> $LOG
done
else
printf "%s
" "going to unload"
launchctl disable system/"$PLIST"
launchctl bootout system/"$PLIST"
printf "%s
" "Completed"
rm -f /Library/LaunchDaemons/"$PLIST"
fi
echo "unloaded LD" >> $LOG
rm -rf /var/makeadminLD/userToRemove.txt
# rm -rf "$LOGDIR"/userToRemove.txt
rm -rf /private/var/makeadminLD/userToRemove
echo "removed files" >> $LOG
echo "***************************************************" >> $LOG
exit 0We have this setup a slightly different way.
1) A policy > script to elevate current user to admin, available in self-service - This is scoped to a static group, 'admin users'. We manually add machines into this group when admin is needed. i.e for software installs etc.
2) A policy > script that removes all users from the admin group, except for our management account. This is scoped to all machines. Triggered at startup.
Only machines that are in the static group have the elevate to local admin script available in self-service. Admin resets back to standard user on reboot for all machines at startup.
Works well for us - We often have a ticket open when someone needs temporary admin (Software installs etc) so we simply add their machine to the static group and remove it once they're finished.
If anyone needs the scripts let me know & I'll dig them out.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.