give admin privilege to standard user

expand collapsive

Hey, we need to install Auto Cad on one of our employees’ devices. have instructed the employee to install the app himself. However, admin privileges are required for him to install the app. Can anything be done here to grant the privilege to standard users and remove it after some time?

All Replies

  • Hexnode

    Evin Lee

    Moderator

    Hi @itzel,

    Thanks for reaching out to us.

    Yes, you can give admin privileges to a standard user by executing a custom script from the Hexnode portal. Here’s a script that will grant the standard user admin privileges for 30 minutes. Please make sure that the user’s device has an active internet connection.

    Replace ‘$currentUser’ and ‘$userToRemove’ with the employee’s user name.

    After executing the script, a prompt “You have now been granted administrator rights for 30 minutes. Please do not misuse this privilege.” will display on the end user’s device. Click on Make me an admin to get the job done.

    The user can now install AutoCAD by himself.

    Disclaimer:

    Please note that the script is obtained from third-party open-source sites. Hence, it is recommended to validate the script execution on a system manually. And, Hexnode will not be responsible for any damage/loss to the system due to the script’s behavior.

    Hope this helps. Do reach out if you have any further queries.

    Cheers
    Evin Lee
    Hexnode UEM

    Solution
  • Participant

    Matthew

    Participant

    This works as advertised and while a good solution people should also look at a possible vulnerability with this.

    If the elevated user removes or alters the “removeAdminRights.sh” script in that 30 minutes they could become permanent admins.   You should monitor for that to be sure the user is….  un-elevated?  Depressed?  Reduced?

    This is also an issue with another well known macos mdm which I won’t name, but you can probably guess.  They obviously use the same method.

     

     

  • Participant

    Ryker

    Participant

    Though the script permits admin privileges only for 30 minutes, the associated user can work with any functionality or settings an administrator is capable of. Running a script that enforces adaptability to the existing users also delegates them the power to create yet another administrator account they may use hereafter, let alone remove the script file from the specified location.

    While extending the privileges of a standard user, these things are inevitable. (Sounds ironic! Not granting them extended privileges while granting them extended privileges) We have had similar experiences since the user is free is to do anything even when we prompt them not to misuse the privileges. However, a user attaining sole authority over a managed device is not always practical as long as the MDM profile is installed. Such possibilities are still closed for a DEP enrolled Mac because the device gets re-enrolled as it turns on even after an unapproved device wipe.