Jamf Nation Community

TheCrusher4Real · ‎01-22-2024

We have an application, Coginiti Pro, that requires a user to have elevated rights before installing on the Mac, or else the install doesn't work correctly.

We use Jamf Pro, and currently I've added some text to the Self-Service installation page telling users they need to elevate their rights before running the install. We use the Privileges app for temporary rights elevation.

I was wondering if I could script this. The current Coginiti Pro install we use is a script rather than a PKG. I'd like to add some code to the script that says "check if the current user is running as a standard user". If so, I'd display a message reminding the user to elevate their rights before proceeding.

Is something like that possible?

daniel_behan · ‎01-22-2024

Sorry, I misread the original post. You'd want something like this:

#!/bin/sh
user=$(/usr/bin/who | /usr/bin/awk '/console/{ print $1 }')
adminneeded=$(/usr/bin/dsmemberutil checkmembership -U "$user" -G admin)

#Temporarily Grant Admin Rights to Standard User for App Install
if [[ "$adminneeded" == *not* ]]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
<<Do Work here>>
/usr/sbin/dseditgroup -o edit -d $user -t user admin
else
<<Do Work here>>
fi
exit 0

View solution in original post

daniel_behan · ‎01-22-2024

Here's the Extension Attribute I use:

#!/bin/bash

# Script to detect if a computer has a local admin account on it with an UID of above 500

# Initialize array

list=()


# generate user list of users with UID greater than 500

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do

# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)

    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
	# Any reported accounts are added to the array list
        list+=("${username}")
    fi
done

# Prints the array's list contents

echo "<result>${list[@]}</result>"

jamf-42 · ‎01-22-2024

as Self Service runs as root, why can't it be installed via Self Service?

Matt · ‎01-22-2024

Remove the <results> and just have it echo the variable. The <results> field is for extension attributes only.

TheCrusher4Real · ‎01-22-2024

The Coginiti Pro install runs as a script rather than a package. Our original Jamf packager stated this was done because of ongoing rights issues with the installer.

If a standard user runs the install from Self Service, they end up with a question mark icon for the application in their dock, and the dmg file doesn't get mounted and the application doesn't get installed into /Applications folder.

Everything works correctly if user has elevated their rights prior to the install.

jamf-42 · ‎01-22-2024

looks like its just a DMG from the vendor.. what happens if you use composer? just start composer.. modified.. start... then bin all the content, make an Applications folder, drag the app from the DMG to the Applications folder and make pkg from that? or use simple package creator?

daniel_behan · ‎01-22-2024

Sorry, I misread the original post. You'd want something like this:

#!/bin/sh
user=$(/usr/bin/who | /usr/bin/awk '/console/{ print $1 }')
adminneeded=$(/usr/bin/dsmemberutil checkmembership -U "$user" -G admin)

#Temporarily Grant Admin Rights to Standard User for App Install
if [[ "$adminneeded" == *not* ]]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
<<Do Work here>>
/usr/sbin/dseditgroup -o edit -d $user -t user admin
else
<<Do Work here>>
fi
exit 0

TheCrusher4Real · ‎02-13-2024

Thanks for your explanation, Daniel. Wound up using code like this, based on your initial info:

#!/bin/sh
# Get user
user=$(/usr/bin/who | /usr/bin/awk '/console/{ print $1 }')
# check membership
adminneeded=$(/usr/bin/dsmemberutil checkmembership -U "$user" -G admin)

# If user not elevated, display notification.
#  If user is elevated, perform the installation.
if [[ "$adminneeded" == *not* ]]; then
# User NOT elevated; show them the message
# user is a standard user and needs to be notified to elevate before running the install.
    jh='/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper'
    jh_args=(\
        -windowType hud \
        -title "TITLE" \
        -heading "Elevated user rights required" \
        -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/com.apple.pro-display-xdr.icns \
        -alignHeading left \
        -button1 "OK" \
        -defaultButton 1 \
        -description \
        )
    message="Coginiti Pro requires elevated rights to install."
# display message to user and exit the script
    "$jh" "${jh_args[@]}" "$message"; exit 1;
else
# run the install
fi
exit 0

Jamf Nation Community

script to determine if the current user is a standard user