Execute a Jamf Pro policy trigger (Parameter 6)

[dan-snelson]

Happy Monday, @robjschroeder!

While testing 1.0.4 today, I noticed there doesn't seem to be anything preventing the currently logged-in user from creating additional administrators.

When the timer expires, the currently logged-in user is correctly removed from being a local admin, but the additional administrators remain.

Parameter 6 allows the Jamf Pro Admin to specify a custom trigger to run after recon (which I purposely placed in that order so inventory would be updated and the bad actor would be exposed).

(I have not tested what bad things will happen in the Jamf Pro Admin leaves Parameter 6 blank / specifies an un-scoped trigger.)

[ayotec2015]

Hey, I just noticed parameter 6,

This was what I added in place of parameter 6.

launchLaunchDaemon failsafe in case a user creates another administrator user

This checks every 2hrs if a user is an admin it demotes all accounts except admin user

This works with Jamf as it triggers checkadmin event policy the policy demotes all admin users except specified user.

Set up the LaunchDaemon

tee /Library/LaunchDaemons/com.elevate.admin.plist << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

Label com.elevate.admin ProgramArguments /usr/local/bin/jamf policy -event checkAdmin StartInterval 7200

EOF

chmod 644 /Library/LaunchDaemons/com.elevate.admin.plist chown root:wheel /Library/LaunchDaemons/com.elevate.admin.plist

/bin/launchctl load /Library/LaunchDaemons/com.elevate.admin.plist

Not the most pretty script I added lol