Different companies have different guidelines for whether they want their end-users to have standard or administrator accounts. It can be tempting to just give your users admin rights to lower support desk request volume, though you do run a higher risk of users authenticating malware or improperly modifying their workstations. If you keep your users as standard, you'll need to regularly handle requests from them to authenticate settings changes, app installs, and updates. This can also generate some perceived friction with them, feeling reliant on your support desk and making some of their work tasks burdensome.
One possible solution to this quandary is to allow your users to self-remediate - keep them as standard users, but allow them a way to temporarily promote themselves. The lowest-tech solution to this would be helping them create local admin accounts that they don't log into, but whose credentials they can use to authenticate admin requests. Next would be giving them the ability to temporarily promote themselves to administrator status for a brief period of time. One common tool for this is Rich Trouton's Privileges, a phenomenal little app that can handle these kinds of requests, and even log the requests to a server.
So, with such a great tool like that available, why did I decide to put something together myself? I had the following checklist of things wants:
I'd like to embed the script into our MDM's self-service app, to encourage our users to engage with it in the future
I'd like the script to be interactive - where a user can restore their account to standard when they're done, or passively allow it to time out
The tool should be resilient enough to recover itself should the user try to circumvent the restoration of standard account status
I'd like to have a record of admin promotion requests, so we have a paper trail for auditing purposes
The user opens MacManage (Addigy's self-service application), locates the script, and launches it
The user confirms a popup verifying they'd like to promote themselves temporarily
The user is prompted to submit a reason for the promotion
The user's request is packaged as a support ticket and sent to the support desk for review and archiving. Note if the ticket fails to send, the workflow halts, asking them to reach out to the support desk by phone
If the ticket is sent successfully, the user is temporarily promoted and shown a popup with a timer, letting them know they'll be restored to a standard user in 10 minutes. They can also click a button when they're done
When 10 minutes elapse, or the user dismisses the popup, they're restored to a standard account
One quick note - the version of the script hosted by Addigy does not include the logic to generate a support ticket. Some teams don't like the extra notifications, so it makes sense - when originally authoring this, I figured the ticket workflow made sense, as the MacManage library will not load unless the computer's online, so may as well take advantage of it.
Note: These prompts aren't included in the above script if you copy it directly from Addigy's kbase article.
Addigy includes some tools to allow administrators to leverage MacManage to create popup notification windows (not via Notification Center) with interactive buttons. I start by using these to get user consent to proceed with the promotion.
Next, an AppleScript popup is used to capture the user's reason for admin access to submit it as a support ticket. There's a lot that goes into this type of prompt - I'll go into those details in another post.
The script then sanitizes the request, including a failsafe for the user not typing anything, a maximum character limit, and a filter to remove illegal characters that could interfere with the ticket creation script.
We now create a support ticket using Addigy's go-agent binary. The user's sanitized response is loaded into a ticketDescription variable and some useful identifying info is harvested from the device to fill out the submitted ticket.
The ticket attempts to upload - since users can't trigger this tool while offline, we decided it was worthwhile to require the ticket to upload before proceeding. This section contains the necessary bailout to make sure that we halt if the ticket can't upload for any reason.
Once the ticket is successfully generated, the user is finally promoted to admin. As soon as this is done, we also touch a hidden flag file to mark this user account as temporarily promoted.
While testing, I had to figure out how to ensure users wouldn't abuse this tool and use it to permanently promote their accounts. At worst, I had to be prepared for users to force a shutdown on their computer via an SMC reset - the script needed to be able to recover from that and return them to their original status elegantly.
So, immediately as the user promotion occurs, the script authors two files to be used to ensure the user will be returned to standard status.
First, we make a shellscript that we can use to return the user to normal. This script includes all our cleanup tasks: user demotion, cleanup of the flag file, and then deleting itself along with the launchAgent in the next step. The file is created and given broad permissions for execution:
Next, a LaunchAgent is created to leverage the above demotion script. This will launch and persist immediately upon a user logging in, ensuring that even if a user tries to force their computer off while promoted, they'll be returned to normal the next time they log in.
The user is presented a popup so they can restore their account to standard when they're done. If they don't proactively dismiss the window, it will time out after 10 minutes (you can change the timer in the script). Either way, once the user's account is restored to normal status, the LaunchAgent is unloaded and deleted along with the demotion .sh file and the flag file.
That's our full workflow. This script has allowed our team to work with our clients on finding a middle ground where their users can benefit from the added security of running as standard accounts while still having the flexibility of gaining administrative access on demand. We always ask our clients to update their employee acceptable use policies to indicate that users are responsible for the actions they take while promoting themselves.
The benefits of this script have been wonderful. The support desk only gets involved if a ticket appears with a justification like "Apple Support called me on the phone and asked me for my credit card number and to install LogMeIn". They can also use the archived tickets for forensic purposes when troubleshooting future issues. Users get introduced to MacManage, a repository for great single-click software installers that they can use without needing admin credentials and other self-remediation resources. This builds their self-efficacy as users of technology, lowers the friction they'd feel if they had to reach out to us every time they needed to change their time zone or install an app, and respects them as responsible stewards of their equipment.