Skip to Main Content

MacOS support for Privilege Manager

Privilege manager support would be fantastic for MacOS as there are large gaps with intune and credential management on MacOS. Even just basic support for elevation on demand would be a great first step.

Product Privilege Manager
  • Attach files
      Drop here to upload
    • Guest
      Reply
      |
      Nov 15, 2024

      I dont know if this helps much - however, while they look into that, i use this in JAMF to help elevate temporary admin rights - i used to manage all of our MAC fleet in intune so i know this script would need to change a bit for that, but hopefully this will help.

      In JAMF there is a section for integer specifications, but should work if you just change $4 to something like 1800 for 30 minutes - give it a test (highlighted in yellow)

      Note : this originally came from rocketman.tech before his site changed




      #!/bin/bash


      ###############################################

      # This script will provide temporary admin #

      # rights to a standard user right from self #

      # service. First it will grab the username of #

      # the logged in user, elevate them to admin #

      # and then create a launch daemon that will #

      # count down from 30 minutes and then create #

      # and run a secondary script that will demote #

      # the user back to a standard account. The #

      # launch daemon will continue to count down #

      # no matter how often the user logs out or #

      # restarts their computer. #

      ###############################################


      #############################################

      # find the logged in user and let them know #

      #############################################

      currentUser=$(who | awk '/console/{print $1}')

      echo $currentUser

      # osascript -e 'display dialog "You now have administrative rights for 30 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"Make me an admin, please"} default button 1'

      #########################################################

      # write a daemon that will let you remove the privilege #

      # with another script and chmod/chown to make #

      # sure it'll run, then load the daemon #

      #########################################################

      #Create the plist

      sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

      #Add program argument to have it run the update script

      sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"

      sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer $4


      #Set run at load

      sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes


      #Set ownership

      sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist

      sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist


      #Load the daemon

      launchctl load /Library/LaunchDaemons/removeAdmin.plist

      sleep 10

      #########################

      # make file for removal #

      #########################

      if [ ! -d /private/var/userToRemove ]; then

      mkdir /private/var/userToRemove

      echo $currentUser >> /private/var/userToRemove/user

      else

      echo $currentUser >> /private/var/userToRemove/user

      fi

      ##################################

      # give the user admin privileges #

      ##################################

      /usr/sbin/dseditgroup -o edit -a $currentUser -t user admin

      ########################################

      # write a script for the launch daemon #

      # to run to demote the user back and #

      # then pull logs of what the user did. #

      ########################################

      cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh

      if [[ -f /private/var/userToRemove/user ]]; then

      userToRemove=$(cat /private/var/userToRemove/user)

      echo "Removing $userToRemove's admin privileges"

      /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin

      rm -f /private/var/userToRemove/user

      launchctl unload /Library/LaunchDaemons/removeAdmin.plist

      rm /Library/LaunchDaemons/removeAdmin.plist

      log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive

      fi

      EOF


      exit 0

    • Admin
      Juha Haapsaari
      Reply
      |
      Jan 18, 2024

      Agreed that elevated permission management in macOS is difficult and Privilege Manager could help that. We will monitor the need for this feature and if more votes coming in then we can start to plan adding to product roadmap.

    • +9