Skip to main content

things like homebrew or nginx, etc, require sudo access to install/update.

is there a safe way to maintain their standard user rights and just give them access to sudo certain applications?

Any application that i can package in composer or a curl script i have, but applications (namely) homebrew (with xcode CLI) require sudo access to install and update. Homebrew script (found here) doesnt work in SelfService but works as a script on the local machine, assuming its timing out waiting for a prompt even though it doesnt prompt in the OS (maybe i need to add PPPC for osascript and terminal?)

i dont want the user to have admin rights elsewhere like creating an account or deleting the jamf binary, but they would still need to do their job.

try this

@teodle is this something you have implemented too?

do do you guys go about managing this or scaling this for larger devs?

No but maybe we should. Haven't looked into scaling this but I'm sure it's possible.

@jcheLC Have you seen the SAP app Privileges Link Here

@teodle how do you guys provide temp admin access or are all your users basically admin (or at least if they have admin it wont be removed)

@kerickson Yup, but it seems like a temp stopgap - is the usage track-able?
whats stop the users from just running it all day and being admin basically all day? :(

Have you looked at the jamf connect Pam module ?

https://docs.jamf.com/jamf-connect/1.6.0/administrator-guide/Pluggable_Authentication_Module_(PAM).html

@jcheLe
We have a promote to admin policy that can be applied to a single local user or all local users but then someone has to remember to demote them back to standard users.

Jamf has this tool on their github: MakeMeAnAdmin

@jchele ...could you provide a copy of that policy? thanks!

@teodle would you mind sharing that policy? Thanks!

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

  1. Make sure to run this script with a Jamf policy
  2. I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.
#!/bin/bash

# Identify the username of the logged-in user

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser ALL= (ALL) ALL
$currentUser    ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;     ## Sucess
exit 1;     ## Failure
Terms & ConditionsCookie settings