Help

remove local admin, but leave the option update existing apps

mikaba
New Contributor

Posted on ‎07-09-2023 05:29 AM

Hey,

I have a script that removes local admins from Mac, without the need to restart the Mac and it works great. I would like to solve the issue of updating existing apps without the need for admin privileges.

for example: if Slack pushes an important update, users need me immediately in order to access Slack.

Any ideas on how can I solve this issue? adding here the script I use:

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "Administrator" ] && [ "$user" != "administrator" ] && [ "$user" != "jss_mgmt" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then
echo "Removed user $user from admin group";
pkill -U "$user" -9 -f "/Applications/*"
pkill -U "$user" -9 -f "/System/Library/*"
pkill -U "$user" -9 -f "/Library/*"
fi
else
echo "Admin user $user left alone"
fi
done

0 Kudos
2 REPLIES 2

sdagley
Esteemed Contributor II

‎07-09-2023 07:07 PM - edited ‎07-09-2023 07:09 PM

@mikaba You've got a few options:

  • Use a 3rd party tool for privilege management that will automatically elevate privileges for installing/updating approved apps. That will involve spending money, and you'll have to research the options available in this space on your own as I don't have any specific recommendations.
  • Don't arbitrarily remove admin rights, but instead use a tool like SAP's Privileges tool which allows users to run as a Standard user and give themselves Admin rights as needed (you can combine it with PrivilegesDemoter to automatically demote the user account if they tend to leave themselves as admins). Both of those tools are Open Source and free for use.
  • Make sure that every application your users will need is available for installation via Self Service, and that you have a process in place (e.g. AutoPkg or Jamf App Catalog) to ensure updates are available for installation as soon as possible.

TrentO
Contributor II
In response to sdagley

Posted on ‎07-10-2023 05:55 AM

It's a lot of work and a bit like playing wack-a-mole but you can automate the updates using autopkg and munki if you don't have access to Jamf app installers. Then admin rights are not needed for so updates at least. 

0 Kudos