Elevate macOS Privileges for Users via Jamf Pro Policy

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
You can use a Jamf Pro policy to remotely elevate or remove a user's privileges on their computer via commands. This involves creating a Jamf Pro policy that runs the jamfconnect acc-promo --elevate or jamfconnect acc-promo --demote command when triggered.
Note:

The use of Jamf Pro policies does not override or skip any configured settings for privilege elevation, including Verify User Promotion (VerifyUserPromotion). Administrators can choose to hide the privilege elevation feature from users with the User Privileges (userprivileges) setting in the HiddenMenuItems section of your Self Service+ configuration profile, but this does not restrict users from engaging with the feature. The user can still access the command line to elevate their permissions, so the commands are an example on how to use them in a policy or part of a script ran via a policy.

These policies only support the promotion and demotion of accounts via Self Service+. These policies will not affect any users with an account promotion or demotion from applications other than Self Service+.

Requirements

  • A Self Service+ configuration profile with privilege elevation and the URL Scheme and Command Line (URLCommandLineElevation) setting enabled

  • The privilege elevation commands added to your Jamf Pro scripts

  1. In Jamf Pro, click Computers in the sidebar.
  2. Click Policies in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
  5. Click Files and Processes.
    1. Add the following command to the Execute Command field for promotions: sudo -u $( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' ) /usr/local/bin/jamfconnect acc-promo --elevate.
    2. Add the following command to the Execute Command field for demotions: sudo -u $( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' ) /usr/local/bin/jamfconnect acc-promo --demote.
  6. Use the rest of the payloads to configure the tasks you want to perform.
  7. Click the Scope tab and configure the scope of the policy.
  8. Click Save.

Jamf Pro can now remotely elevate Self Service+ users with the privilege elevation feature by initiating any supported policy with pre-determined or custom triggers.