This script assumes that you are using AutoPkg with Graham Pugh’s Jamf Upload processors. To make this work there is bit of setup involved. So I created a workflow to automate updating that smart group. My only issue with implementing Thom’s workflow is that when using AutoPkg (and Jamf Upload), updating the smart group that identities out of date apps can become cumbersome rather quickly. Thom goes into some detail in that post about why this might be needed/preferred vs using the built-in notifications. In it, Thom discusses using a custom alert that directs users to the “Notifications” section of Self Service where they can apply pending updates. I was inspired by the Jamf Tech Thoughts post, “ Custom Self Service Patch Notifications” by ThomM. This post will outline a method to get app versions from AutoPkg and apply those version numbers to a single smart group in Jamf Pro. Posted on Categories Jamf Pro, macOS Tags Jamf Pro, macOS Leave a comment on PrivilegesDemoter v3.0 Use the Jamf API to Update a Smart Group with App Versions from AutoPkg More information about how to set-up, use, and configure all of the above is available in the GitHub Wiki for the PrivilegesDemoter project. Using the script alone you can elevate, demote, demote silently, print the current user’s status, and calculate how much admin time has passed since the last time PrivilegesDemoter ran. The script now includes several new options when running locally.The script now allows for standalone elevation and demotion actions (without deploying SAP Privileges) Note: This requires an MDM with the ability to run scripts from a Self Service portal (like Jamf Pro).You may now customize the Jamf trigger if demoting from a Jamf Pro policy.If you would like it to run from Jamf Pro as it did in versions 1 and 2, you may configure it that way. The demotion script now runs locally by default.You many now configure the user to be demoted silently without a notification at all.The main text in the reminder can be customized.The demotion reminder threshold can now be set with a configuration profile separately from the SAP Privileges dock tile timeout. You may now use a custom name for the IBM Notifier binary (if you have re-branded it for your organization).Swift Dialog is now available as a notification agent in addition to IBM Notifier and Jamf Helper.The _mbsetupuser and root users are now excluded from demotion by default.You can now exclude multiple administrator accounts from demotion.There is a JSON Schema available for configuring with Jamf Pro.The script is controlled with a configuration profile ().PrivilegesDemoter now uses just one script and one LaunchDaemon (as opposed to 2 of each in versions 1 and 2).Once that calculation passes a certain threshold, the user is reminded to operate as a standard user whenever possible. If this user is an admin, it adds a timestamp to a file and calculates how long the user has had admin rights. The PrivilegesDemoter script runs every 5 minutes to check if the currently logged in user is an administrator. It may be configured to notify users with IBM Notifier, Swift Dialog, or Jamf Helper. PrivilegesDemoter may be used on its own in standalone mode, or conjunction with SAP Privileges. PrivilegesDemoter 3 has been written to be customizable for a number of different deployment scenarios. Additionally, each elevation and demotion event is recorded and saved to a log file. PrivilegesDemoter is a script that allows users to self manage local administrator rights, while reminding them not to operate as an administrator for extended periods of time. The original posts for previous versions are available here: While the main functions remain, several new options are available to make deployment and configuration much more flexible. PrivilegesDemoter version 3 is here, and it’s a big update.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |