Configuring macOS Privilege Elevation in Self Service+

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
You can configure privilege elevation settings in the Jamf Connect Configuration app to enable temporary user permissions in Self Service+. These settings include limits on duration and number of elevations, verification types, and which roles can access elevated permissions. For a full list of settings, see Privilege Elevation Settings
Requirements
  • Access to the Jamf Connect Configuration app

  • An existing Jamf Connect configuration profile

  • User roles configured in a supported identity provider if you plan to configure elevation settings by role. For information about which identity providers (IdPs) are supported, see Jamf Connect Identity Provider Integrations.

  1. In the Jamf Connect Configuration app, click the Connect tab and navigate to the Temporary User Permissions section.
  2. Select Temporary user promotion.
  3. (Optional) To restrict privilege elevation to the Self Service+ interface only, select URL Scheme and Command Line Elevation.
  4. (Optional) To display a visual countdown timer in the user's menu during temporary elevation, enable the User Promotion Timer setting.
  5. To configure the duration (in minutes) of a user session and the number of elevations allowed per month, enter a number in the User Promotion Limit and User Promotion Duration fields.
    Note:

    Users who adjust their system time or date to avoid the limits set by the User Promotion Limit (UserPromotionLimit setting receive a time tampering flag in logs and will be unable to use the temporary elevation feature. To remove this flag, use the following command: sudo defaults delete com.jamf.connect.state TimeTamperingDetected.

    If you configure role-based verification, the duration applied to the role will override the duration set in User Promotion Duration.

  6. (Optional) To configure privilege elevation settings by group, or to require authentication prior to privilege elevation, complete the following steps:
    1. Select Verify User Promotion or Verify User Promotion FIDO2, depending on your authorization method.
    2. Click the + button.
    3. In the Role field, enter the group name exactly as it appears in your IdP, then enter a time limit in the Duration field.
    4. In Admin Attribute, define the attribute in your IdP settings that determines the role.
    Note:

    If you add roles in the Jamf Connect Configuration app but do not configure roles in your IdP or set the Admin Attribute, privilege elevation will fail. To require verification without configuring different elevation settings by role, do not specify a value for UserPromotionRole.

    To make privilege elevation unavailable to a group of users, set the Admin Attribute, enter the User Promotion Role, and set the Duration field to 0.

  7. In User Promotion Choices, enter a list of reasons for privilege elevation as comma-delimited values.
  8. Click Save at the top of the Jamf Connect Configuration app.

Privilege elevations settings are configured in the configuration profile and can be deployed to user's devices.

View an example configuration with privilege elevation settings enabled below:

<dict>
	<key>TemporaryUserPermissions</key>
<!-- Enables the feature for user promotion in Self Service+ -->
<dict>
	<key>TemporaryUserPromotion</key>
            <true/>
<!-- Displays a countdown timer to the user in Self Service+ -->
            <key>UserPromotionTimer</key>
            <true/>
<!-- Duration in minutes for user to be promoted -->
            <key>UserPromotionDuration</key>
            <integer>5</integer>
<!-- Require a user authenticate to the identity provider before account privilege elevation is granted. -->
            <key>VerifyUserPromotion</key>
            <true/> 
<!-- Require the user to be a member of a specific group. Each role requires a separate duration -->
            <key>UserPromotionRole</key>
				<array>
                        <dict>
<!-- Duration is time in minutes and is defined in whole number integer values -->
						  <key>Duration</key>
                              <integer>8</integer>
<!-- Name is case sensitive and must match the role value exactly as emitted in the ID token's roles claim -->
						  <key>Name</key>
                              <string>IT Help Desk Staff</string>

<!--The attribute of the identity token containing the group value -->
 						  <key>OIDCAdminAttribute</key>
						  <string>roles</string>
<!-- Your IdP -->
						  <key>Provider</key>
						  <string>EntraID</string>
				     </dict>
 					<dict>
                              <key>Duration</key>
                              <integer>30</integer>
						  <key>Name</key>
						  <string>Xcode Developer Staff</string>
						  <key>OIDCAdminAttribute</key>
						  <string>roles</string>
 						  <key>Provider</key>
						  <string>EntraID</string>
                       </dict>
         </array>
<!-- Enforces a maximum number of times that a user can request rights in one calendar month -->
            <key>UserPromotionLimit</key>
            <integer>10</integer>
<!-- Requires the user to provide a reason for promotion which will be recorded in system logs -->
            <key>UserPromotionReason</key>
            <true/>
<!-- A list of default reasons for promotion.  An "other" field will be provided automatically with a 200 character maximum input limit. -->
            <key>UserPromotionChoices</key>
            	<array>
                  	<string>Hardware driver install</string>
                  	<string>Xcode software development</string>
                  	<string>General use</string>
             	</array>
	</dict>
</dict>