macOS devices are best when coupled with an Admin account, (I won’t go into the pro’s and con’s in this post) but I will cover how we can efficiently grant and remove Admin rights to a user with a Workspace ONE Managed macOS device.
I’ve recently been part of a process where we are deploying macOS devices using Workspace ONE UEM coupled with Apple Business Manager Device Enrolment (i.e. DEP). The DEP profile being applied by WSO UEM sets the user as Standard (non-admin), with a Hidden Admin user for IT access. This is great, until you have a user who needs Admin rights to install a 3rd party app not in the catalog or change the timezone (@Apple, please change this!).
The process your organisation has around security will be up to you, let’s say someone has raised a ticket to request admin rights and this has been approved. Let’s set up a way to deliver this to the users specific macOS device.
We will use a Dummy or placeholder application to deliver post-install/uninstall scripts to a device to leverage this, with an Assignment Group targeting specific devices.
1. Create a Dummy Package
We are going to use a dummy package to deliver post-install and post-uninstall scripts. I use the Packages App (http://s.sudre.free.fr/Software/Packages/about.html) to create these.
- Open Packages App. Pick Raw Package and click Next.
- Give it a name. I used Admin Elevation.
- Go to Build in the menu bar, click Build.
- Your package will be in the project directory under build.
- Use the VMware Admin Assistant tool to create the plist for uploading to the UEM console.
2. Configure Assignment (Smart) Group
We are going to set up a Smart Group for our Admin right elevation, we will then assign our app to automatically install when this smart group is used.
- Head to your Workspace ONE UEM Console.
- Click Groups & Settings > Groups > Assignment Groups
- Click Add Smart Group
- Give it a name, and select Type: Select Devices or Users, and click OK on the notice.
- Select your device, I usually use the last 4 serial number characters to pick the specific device. Or you can add the user to target all their devices.
- Click Save. Done!
3. Upload & Assign Application
Now we have the package, and the smart group, we can upload the application into the UEM Console.
- Head to Apps & Books > Native > Internal (selected by Default)
- Click Add Application
- Upload the .pkg that we created in part 1. Then upload the Plist created by the VMware Admin Assistant tool.
- Set the Post-Install Script as shown below.
- Set the Post-Uninstall Script as shown below.
- (Optional) Give it an Icon.
- Click Save & Assign
- Click Add Assignment
- Pick the Admin Elevation Smart Group created in Step 2. For this process, we’re using Auto but you can select On-Demand if you want an extra admin action.
- Click Add, then Save & Publish.
#!/bin/bash
loggedInUser=`/usr/bin/stat -f%Su /dev/console`
if [ "$CurrentUser" == "root" ] || [ "$CurrentUser" == "_mbsetupuser" ] ; then
exit 0
fi
#adds user to admin group (post-install)
dseditgroup -o edit -a "$loggedInUser" -t user admin
#!/bin/bash
loggedInUser=`/usr/bin/stat -f%Su /dev/console`
if [ "$CurrentUser" == "root" ] || [ "$CurrentUser" == "_mbsetupuser" ] ; then
exit 0
fi
#removes user from the admin group (post-uninstall)
dseditgroup -o edit -d "$loggedInUser" -t user adminNow, we have the below process:
- User requests admin rights using ticketing/calling/begging.
- Workspace ONE UEM Admin goes in to Smart Group and adds the user or specific device
- If macOS Device is online, it will get the application install command and run the post-install script.
- When admin rights need to be removed, remove the user from the Smart group. The app will uninstall and the post-uninstall script will run
Steps 2 and 4 can be automated via the UEM API (post to follow on this!)
Testing
To make sure this has worked, the below commands are very useful.
Show the Managed Software Update log
tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log
This will show you the install status of an application and any scripts.
Mar 07 2019 09:46:57 +0000 Install of Downgrade Admin-1.0.pkg was successful.
Mar 07 2019 09:46:57 +0000 Running postinstall_script for Downgrade Admin
Mar 07 2019 09:46:57 +0000 Running postinstall_script for Downgrade Admin was successful.
Show the Groups on a user account using id
Before (Standard):
matthewsa$ id
uid=504(matthewsa) gid=20(staff) groups=20(staff),501(awagent),12(everyone),61(localaccounts),502(awagent_enrolled),701(com.apple.sharepoint.group.1),100(_lpoperator),702(com.apple.sharepoint.group.2)
After (Admin):
matthewsa$ id
uid=504(matthewsa) gid=20(staff) groups=20(staff),501(awagent),12(everyone),61(localaccounts),80(admin),502(awagent_enrolled),701(com.apple.sharepoint.group.1),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),702(com.apple.sharepoint.group.2)
Caveats and Thanks
As of the current WSO UEM release, end users will see this application in their App Catalog. In this process, they wont be able to remove this app manually unless they go to the Self Service Portal.
Many, many thanks to Adam Sippl @ Apple for the commands to elevate and remove admin rights.
Solutions Engineer @ Okta. Former SE at VMware for Workspace ONE. All things Identity, MDM and Mac. Occasionally takes photos of Bands at adammatthews.photography, and blogs at adammatthews.co.uk.
Vardan Patterson
June 28, 2021Thanks for the help it works very well but my company requirement is same but they want us to create a seperate anmin account and upon removing from Smart group from workspace one account should be deleted.