[Evin Hexnode 23 March 2022 Evin Moderator]

Hi @itzel,

Thanks for reaching out to us.

Yes, you can give admin privileges to a standard user by executing a custom script from the Hexnode portal. Here’s a script that will grant the standard user admin privileges for 30 minutes. Please make sure that the user’s device has an active internet connection.

Script to give admin privilege to standard user for 30 minutes

#!/bin/bash osascript -e 'display dialog "You have now been granted administrator rights for 30 minutes. Please do not misuse this privilege." buttons {"Make me an admin"} default button 1' #Create the plist sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin" #Add program argument to have it run the update script sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/HexnodeMDM/removeAdminRights.sh" #Set the run inverval to run every 7 days sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800 #Set run at load sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes #Set ownership sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist #Load the daemon launchctl load /Library/LaunchDaemons/removeAdmin.plist sleep 10 if [ ! -d /private/var/userToRemove ]; then mkdir /private/var/userToRemove echo $currentUser >> /private/var/userToRemove/user else echo $currentUser >> /private/var/userToRemove/user fi /usr/sbin/dseditgroup -o edit -a $currentUser -t user admin cat << 'EOF' > /Library/Application\ Support/HexnodeMDM/removeAdminRights.sh if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing admin privileges of $userToRemove" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive fi EOF exit 0

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46

#!/bin/bash osascript -e 'display dialog "You have now been granted administrator rights for 30 minutes. Please do not misuse this privilege." buttons {"Make me an admin"} default button 1'   #Create the plist sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"   #Add program argument to have it run the update script sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/HexnodeMDM/removeAdminRights.sh"   #Set the run inverval to run every 7 days sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800   #Set run at load sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes   #Set ownership sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist   #Load the daemon   launchctl load /Library/LaunchDaemons/removeAdmin.plist   sleep 10   if [ ! -d /private/var/userToRemove ]; then mkdir /private/var/userToRemove echo $currentUser >> /private/var/userToRemove/user else echo $currentUser >> /private/var/userToRemove/user fi   /usr/sbin/dseditgroup -o edit -a $currentUser -t user admin   cat << 'EOF' > /Library/Application\ Support/HexnodeMDM/removeAdminRights.sh if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing admin privileges of $userToRemove" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive fi EOF   exit 0

Replace ‘$currentUser’ and ‘$userToRemove’ with the employee’s user name.

After executing the script, a prompt “You have now been granted administrator rights for 30 minutes. Please do not misuse this privilege.” will display on the end user’s device. Click on Make me an admin to get the job done.

The user can now install AutoCAD by himself.

Disclaimer:

Please note that the script is obtained from third-party open-source sites. Hence, it is recommended to validate the script execution on a system manually. And, Hexnode will not be responsible for any damage/loss to the system due to the script’s behavior.

Hope this helps. Do reach out if you have any further queries.

Cheers
Evin Lee
Hexnode UEM

[Matthew Participant 5 April 2022 Matthew Participant]

This works as advertised and while a good solution people should also look at a possible vulnerability with this.

If the elevated user removes or alters the “removeAdminRights.sh” script in that 30 minutes they could become permanent admins.   You should monitor for that to be sure the user is….  un-elevated?  Depressed?  Reduced?

This is also an issue with another well known macos mdm which I won’t name, but you can probably guess.  They obviously use the same method.

 

 

[Ryker Participant 5 April 2022 Ryker Participant]

Though the script permits admin privileges only for 30 minutes, the associated user can work with any functionality or settings an administrator is capable of. Running a script that enforces adaptability to the existing users also delegates them the power to create yet another administrator account they may use hereafter, let alone remove the script file from the specified location.

While extending the privileges of a standard user, these things are inevitable. (Sounds ironic! Not granting them extended privileges while granting them extended privileges) We have had similar experiences since the user is free is to do anything even when we prompt them not to misuse the privileges. However, a user attaining sole authority over a managed device is not always practical as long as the MDM profile is installed. Such possibilities are still closed for a DEP enrolled Mac because the device gets re-enrolled as it turns on even after an unapproved device wipe.