Privilege Elevation Settings

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
  • Domaincom.jamf.connect
  • DictionaryTemporaryUserPermissions
  • Description

    Used to configure the Privilege Elevation feature in Self Service+.

Setting

Description

Temporary User Promotion

TemporaryUserPromotion

(Required) Enables the option for users to request elevated privileges in Self Service+.

<key>TemporaryUserPromotion</key>
<true/>

User Promotion Timer

UserPromotionTimer

Displays a timer in the user's menu bar next to the Self Service+ menu bar icon during privilege elevation.

<key>UserPromotionTimer</key>
<true/>

User Promotion Duration

UserPromotionDuration

Determine duration of the privilege elevation, in minutes. The setting is set to 5 minutes by default. For more information, see Auditing Privilege Elevation with Logs.

Note:

A duration of 0 disables this feature to a defined group of users. The User Promotion Role (UserPromotionRole) setting overrides values from this setting.

<key>UserPromotionDuration</key>
<integer>10</integer>

Verify User Promotion

VerifyUserPromotion

Require users to authenticate with their identity provider before a promotion can occur.

<key>VerifyUserPromotion</key>
<true/>
Note:

The Verify User Promotion (VerifyUserPromotion) setting cannot be used with a configuration profile that has Google as the identity provider.

Verify User Promotion via FIDO2

VerifyUserPromotionFIDO2

Requires users to authenticate with their identity provider through a browser. This setting supports WebAuthn authenticators, including passkeys and FIDO2 keys, and takes priority over the Verify User Promotion setting. The setting is currently supported with the following identity providers:

  • Microsoft Entra ID

  • Okta Identity Engine

  • Okta OpenID Connect (OIDC)

  • PingFederate

Note:Requiring WebAuthn authentication for privilege elevation may require changes to your identity provider's authentication policies.

After enabling the setting, the Jamf Connect OIDC application located in your identity provider configuration must use the following Redirect URI to prevent any errors: jamfconnect://loggedin

<key>VerifyUserPromotionFIDO2</key>
<true/>

User Promotion Limit

UserPromotionLimit

Specifies a limit for how many times a user can request elevated privileges every calendar month. 

<key>UserPromotionLimit</key>
<integer>5</integer>

User Promotion Reason

UserPromotionReason

Require users to provide a reason for the temporary elevation request. All elevation reasons are logged locally in the Self Service+ logs.

Note:

The text entry field for users is limited to 200 characters.

<key>UserPromotionReason</key>
<true/>

User Promotion Choices

UserPromotionChoices

Specifies reasons for a temporary elevation request that a user can pick from.

<key>UserPromotionChoices</key>
<array>
<string>Download software</string>
<string>Update software</string>
</array>

User Promotion Role

UserPromotionRole

Restricts who can use the feature and modify additional settings by user or role name for configurations with the following identity providers:

  • Microsoft Entra ID

  • Okta Identity Engine

  • PingFederate

Note:

To configure privilege elevation settings by role, you must select Verify User Promotion. The values entered in the User Promotion Role (UserPromotionRole) field must exactly match the values in the ID token's roles claim. You must also enter the Admin Attribute (OIDCAdminAttribute).

Jamf Connect configurations with Okta Identity Engine set as the identity provider require the Scopes (Scopes) setting in your configuration profile for group-based privilege elevation.

A duration of 0 will make the feature unavailable to a defined group of users.

<key>UserPromotionRole</key>
<array>
<dict>
<key>Duration</key> 
<integer>20</integer>
<key>Name</key>
<string>Teachers</string>
</dict>
</array>

User Promotion Biometrics

UserPromotionBiometrics

Require users to use Touch ID as a form of authentication prior to a temporary elevation session.

Note:

The Verify User Promotion (VerifyUserPromotion) setting takes priority over this setting and cannot be used together. If the Verify User Promotion (VerifyUserPromotion) setting is enabled, users will skip biometric authentication.

<key>UserPromotionBiometrics</key>
<true/>
URL Scheme and Command Line Elevation

URLCommandLineElevation

Restricts users from using the privilege elevation feature through the command-line interface or URL schemes.

<key>URLCommandLineElevation</key>
<true/>

Admin Attribute

OIDCAdminAttribute

Specifies which attribute to use within the User Promotion Role (UserPromotionRole) setting. By default, Self Service+ uses the groups attribute to find any values specified in the Admin Roles (OIDCAdmin) setting.

Note:

If using Microsoft Entra ID, set this value to roles. If using Google Identity, user roles cannot be defined using an ID token.

When configuring the Admin Attribute (OIDCAdminAttribute) setting manually, add the setting to the IdPSettings dictionary rather than the TemporaryUserPermissions dictionary.

<key>OIDCAdminAttribute</key>
<string>groups</string>