Catalina compatible Jamf Self Service policy to grant users temporary admin rights

If your organization mandates that users run as standard users, one way of allowing them to install software and perform operations where admin privileges are necessary, is to let them grant themselves temporary privileges.

There are a few solutions out there already. With the introduction of macOS Catalina, Apple announced they were deprecating Python and moving from Bash to Zsh – meaning one should probably replace solutions that use Python and update those that have not been tested to work with Zsh.

Here is a simple Catalina compatible solution for Jamf Self Service, that does not pass admin credentials in the script (obfuscated or otherwise).

The Zsh scripts are based on code given to me at MacSysAdmin in Gothenburg last year by Zsh wizard Armin Briegel (much appreciated). I have added a timer to make it suitable if you need admin rights for more than 15 minutes, and written an Extension Attribute for Jamf, so that it only runs on clients that have activated it.

Setting up the Jamf Self Service policy

The setup consists of one Extension Attribute and two scripts – and their corresponding policies, detailed below.

  1. In Jamf, under Settings-Computer Management-Extension Attributes, add the TemporaryAdminRightsActivated Extension Attribute. Set these options: Data Type: String, Inventory Display: Extension Attributes and Input Type: Script. Copy the linked code above from GitHub into the text field.
  2. Create a Smart Computer Group called “Temporary Admin Rights Activated” where the Criteria is TemporaryAdminRightsActivated is Yes.
  3. Create a Self Service Policy called “Grant TempAdmin,” running the promoteUser.sh script (again, copy the linked code from GitHub). Execution Frequency should be Ongoing, and Make the policy Available in Self Service under the Self Service tab. Set the Self Service Display Name and button names as appropriate, these will be visible to the user. You should also add a Self Service notification that informs the user that rights have been granted, and for how long.
  4. Create a Policy called “Remove TempAdmin.” Use the linked demoteUser.sh script. Under Scope, add the Smart Computer Group you created in step 2. Set it to run on Recurring Check-in (which should be every 15 minutes, if not, change it). Execution Frequency should be Ongoing.

If your organization uses FileVault, uncomment the check for that in the demoteUser.sh script. Adjust the privilegeMinutes variable in the demoteUser.sh script to indicate how many minutes you want the user to have temporary admin rights for. 15 minutes should be sufficient for simple installations, 45 minutes or more might be needed for larger installations or tinkering. For developers and sysadmins, consider letting them run as admins all the time, or use the Privileges.app, which would let them toggle.