- Jamf Nation Community
- Products
- Jamf Pro
- Cyber Essentials script to create a temporary sepa...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cyber Essentials script to create a temporary separate admin account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Looking for some help with a script issue please.
I've written a script based on Charle Edge's https://github.com/jamf/MakeMeAnAdmin to use in a Cyber Essentials Mac build. Whilst the original script temporarily elevated the users privileges I want to create a temporary separate admin account.
Everything works well apart from the final stage (lines 50-65, labelled "# Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user.") to cleanup the admin account. This part of the script does work when run manually so I'm thinking it's an issue with permissions and/or ownership.
Any advice would be appreciated. Thanks
#!/bin/bash
###############################################
# "I need admin".
# John Moore, April 2024.
# Based on "MakeMeAnAdmin.sh" by Charles Edge, see https://github.com/jamf/MakeMeAnAdmin.
# This Jamf Self Service script will provide the user with access to a separate admin account for 30 minutes. After 30 minutes the admin account is deleted.
###############################################
# Get the current details
currentUser=$(who | awk '/console/{print $1}')
currentDate=$(date +"%Y-%m-%d")
currentTime=$(date +"%H:%M:%S")
# Define the temp admin account variables
adminUser="tempadmin"
adminPassword=$(openssl rand -base64 9)
# Log details of use of the temp admin account in Jamf policy history
echo "$currentUser has been provided with the following temporary admin credentials on $currentDate at $currentTime - $adminUser:$adminPassword"
# Write a daemon that will let you remove the temp admin account with another script and chmod/chown to make sure it'll run, then load the daemon.
# Create the plist
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist Label -string "removeTempAdmin"
# Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeTempAdmin.sh"
# Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist StartInterval -integer 1800
# Set run at load
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist RunAtLoad -boolean yes
# Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeTempAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeTempAdmin.plist
# Load the daemon
launchctl bootstrap system /Library/LaunchDaemons/removeTempAdmin.plist
sleep 10
# Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user.
cat << 'EOF' > /Library/Application\ Support/JAMF/removeTempAdmin.sh
if id tempadmin &>/dev/null; then
# Delete the temp admin user
sudo sysadminctl -deleteUser tempadmin
# Stop the launch daemon
sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist
# Delete the launch daemon
sudo rm /Library/LaunchDaemons/removeTempAdmin.plist
# Provide feedback to user
sudo osascript -e "display dialog \"You administrative rights have ended.\" with title \"Temporary Admin Account\" buttons {\"OK\"} default button \"OK\""
fi
EOF
sudo chown root:wheel /Library/Application\ Support/JAMF/removeTempAdmin.sh
sudo chmod a+x /Library/Application\ Support/JAMF/removeTempAdmin.sh
# Create the temporary admin account.
if id "$adminUser" &>/dev/null; then
# Delete the temporary admin account if account already exists then re-create
sudo sysadminctl -deleteUser "$adminUser"
sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin
else
# Create the temporary admin account
sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin
fi
# Display message to display the temp admin account credentials and a button to copy the password to clipboard.
osascript <<EOF
set dialogText to "You now have administrative rights for 30 minutes using the following credentials:" & return & return & "Username is: $adminUser" & return & "Password is: $adminPassword" & return & return & "DO NOT ABUSE THIS PRIVILEGE..."
set copiedText to "$adminPassword"
set theDialog to display dialog dialogText with title "Temporary Admin Account" buttons {"Copy Password to Clipboard and Close Window"} default button "Copy Password to Clipboard and Close Window" with icon POSIX file "/usr/local/JamfConnectAssets/CardiffUniversity.png"
if button returned of theDialog is "Copy Password to Clipboard and Close Window" then
set the clipboard to copiedText
end if
EOF
exit 0
Labels:
- Labels:
-
Scripting
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
#CharlesEdgeRIP
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Hi,
the line
if id tempadmin &>/dev/null; is going to return false and will never enter the then part of the removal script.
you can check this by simplydoing a short test on your system with:
if [ id NameofExistingUser &>/dev/null ]; then
echo "true"
else
echo "false"
fiwhich just reminds one of the fact that one should always check there if statement outputs when possible
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
If the admin account you are creating inherits a Secure Token, you cannot use Jamf to delete it. To delete a Secure Token holding account, you need an account with a Secure Token. Jamf runs everything as root, which does not have a Secure token and in turn cannot modify a Secure Token holding account.
Though, I would question the security of creating a local admin account from CLI as the username and password can be intercepted simply enough by a malicious actor.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Thanks both.
@AJPinto - The command "sysadminctl -secureTokenStatus tempadmin" returns "Secure token is DISABLED for user tempadmin".
@Ismere - I updated the IF statement in the removal script but it didn't seem to have any effect. Instead, for troubleshooting, I removed the IF statement.
The removal script is now:
# Create a removal script using tee in a HERE document
tee /Library/Scripts/removeTempAdmin.sh << EOS
# Delete the temp admin user
#sudo sysadminctl -deleteUser tempadmin
#sudo dscl . -delete /Users/tempadmin
sudo jamf deleteAccount -username tempadmin -deleteHomeDirectory
# Provide feedback to user
sudo osascript -e "display dialog \"You administrative rights have ended.\" with title \"Temporary Admin Account\" buttons {\"OK\"} default button \"OK\""
# Bootout the launch daemon
sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist
# Delete the daemon
sudo rm /Library/LaunchDaemons/removeTempAdmin.plist
EOSThe three account deletion commands fail in the script yet all work manually via CLI. Bootout now works but the daemon isn't deleted. If delete the daemon first that will work but then bootout fails.
