Help

Elevate Starndard User to Admin using Config Profile

Go to solution
Alvaro1337
New Contributor II

Posted on ‎11-23-2023 10:06 AM

Hello,

We have been working on upgrading Sonoma, but we have encountered an issue. We are unable to assign volume ownership to the local users. As a workaround, we are considering making them local admins through silent actions. We are wondering if it is possible to elevate standard users to admin accounts using configuration profiles?

Thanks!

Alvaro Ortiz
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Honored Contributor II

Posted on ‎11-27-2023 05:19 AM

Volume Ownership comes with Secure Tokens. The simplest way to handle that is to give the user a FileVault token, which comes with a Secure Token and in turn Volume Ownership. Apple has all this documented miserably. 

 

The apple way of doing things (aside of make everyone admins). Allow the user to enable FileVault with a Configuration Profile to force it at login or log out. When they enter their credentials to enable FileVault all the tokens will be granted without any interaction from IT.

View solution in original post

3 REPLIES 3

Go to solution
MatthewGC
New Contributor III

Posted on ‎11-23-2023 10:50 AM

You could, but I would recommend just creating the scripts to do what you need to do. All scripts run as root unless you say otherwise. You or the user can then trigger the script to update the machine. They don’t need admin to do it this way. 

Go to solution
karthikeyan_mac
Valued Contributor

Posted on ‎11-23-2023 10:03 PM

@Alvaro1337 You can use script to promote user as admin.

#!/bin/bash

loggedInUser="$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )"

if [ $(dseditgroup -o checkmember -m $loggedInUser admin | awk '{print $1}') == "yes" ]; then
	echo "${loggedInUser} is admin"
else
	echo "Not an admin, so adding to admin group"
	dscl . -append /groups/admin GroupMembership $loggedInUser
fi

 

Thanks

Go to solution
AJPinto
Honored Contributor II

Posted on ‎11-27-2023 05:19 AM

Volume Ownership comes with Secure Tokens. The simplest way to handle that is to give the user a FileVault token, which comes with a Secure Token and in turn Volume Ownership. Apple has all this documented miserably. 

 

The apple way of doing things (aside of make everyone admins). Allow the user to enable FileVault with a Configuration Profile to force it at login or log out. When they enter their credentials to enable FileVault all the tokens will be granted without any interaction from IT.