Open dstranathan opened 2 years ago
jlevitsk
commented
2 years ago This line causes the removeAdmin.sh to terminate and the actions after it don't happen which include the log collection and the removal of the LaunchDaemon. Just move this line to be 2 lines lower than it is so the removal happens and add a line to remove the removeAdmin.sh file too. That's what I found anyway.
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
jcejka11
commented
2 years ago On 12.x putting this after the rm -rf /Library/LaunchDaemons/removeAdmin.plist will prevent the launchdaemon from unloading. file or folder not found error.
cstout-jamf
commented
1 year ago Replacing the end of the MakeMeAnAdmin script (the part that creates the local removal script) with what is below has helped ensure logs are properly created and the files used for the privilege changes are removed when the script finishes, including the script itself:
if [[ -f /private/var/userToRemove/user ]]; then
userToRemove=$(cat /private/var/userToRemove/user)
echo "Removing $userToRemove's admin privileges"
/usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
rm -f /private/var/userToRemove/user
rm /Library/LaunchDaemons/removeAdmin.plist
log collect --last 10m --output /private/var/userToRemove/$userToRemove.logarchive
rm -- "$0"
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
fi
EOF
I have noticed that this script doesnt
-The script doesn't remove the 'removeAdmin.plist' LaunchDaemon properly. If you look in /Library/LaunchDaemons after it runs, the plist is NOT removed - even though the script is written to remove it. It gets UNLOADED fine - but not removed.
-The script doesn't remove itself (removal script that gets generated in /Library/Application Support/JAMF). So I have a step to delete it if it already exists prior to continuing. This is to prevent an older, outdated version from running (or there are conflict swith an existing file etc).