Skip to content

Temporary Admin

Jump to bottom
Victor Deon edited this page Oct 9, 2025 · 1 revision

The Temporary Admin tool grants users temporary administrative rights. Designed to enhance security and automate privilege elevation, this tool is integrated with Self Service policies, allowing users to self-manage administrative access for a limited time while logging access and maintaining security controls.

Quick Start

In this example setup, we will set up Temporary Admin on Request by assigning them to a Static Group. Once running the tool from Self Service, they will be prompted for a reason they need admin access, then will be granted admin access for 5 minutes. Once it's complete, it will remove the user from the group so they can only run it once. In order to setup this workflow you will need:

  • Configuration Profile
  • API Role and Client
  • Static Group
  • Policy

Example Static Group

Create a static group with the name Temporary Admin Privileges (or whatever name you like). You will need to define this value in the removeGroup key, and scope the Policy to this group.

Example Configuration Profile

Below is a basic managed plist that can be deployed through a Configuration Profile to the following domain: tech.rocketman.tempadmin

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>action</key>
    <string>promote</string>
    <key>timeMin</key>
    <integer>5</integer>
    <key>askReason</key>
    <string>Please state your reason for needing admin rights.</string>
    <key>removeGroup</key>
    <string>Temporary Admin Privileges</string>
    <key>clientId</key>
    <string>ENC:...</string>
    <key>clientSecret</key>
    <string>ENC:...</string>
  </dict>
</plist>

Example API Role and Client

Create an API Client with a Role that has the following permissions:

  • Update Static Computer Groups
  • Read Static Computer Groups
  • Create Computers

Example Policy

Create a Self Service Policy scoped to the Static Group you created. When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:

Jamf Pro Script Parameters

  • Parameter 4 (Global Options and Tool Name): TemporaryAdmin
  • Parameter 5 (Tool-Specific Option): --removeGroup YourJamfStaticGroup
  • Parameter 6 (Tool-Specific Option): --clientId ENC:...
  • Parameter 7 (Tool-Specific Option): --clientSecret ENC:...

Command Options

Required Parameters

No parameters are strictly required. However, configuring --action promote or --action demote is recommended for clarity.

Optional Parameters

--timeMin [int]

Specifies the duration of admin rights in minutes.

  • Type: integer
  • Default: 5 minutes
  • Example: 
    --timeMin 30

--askReason [string]

Prompts the user with a custom question to justify their need for admin rights. The reason is logged for auditing purposes.

  • Type: string
  • Default: "Please briefly state why admin rights are needed: "
  • Example: 
    --askReason "Please state your reason for needing admin rights."

--action [promote|demote]

Defines the action for the tool, either to promote to admin or demote to revoke admin rights.

  • Type: string
  • Choices: promote, demote
  • Default: promote
  • Example: 
    --action demote

--removeGroup [string]

Specifies the name of a static group from which the user will be removed after receiving admin rights, restricting future access.

  • Type: string
  • Example: 
    --removeGroup "Temporary Admin Privileges"

--clientId [string]

Specifies the Client ID for Jamf API authentication. Required if --removeGroup is used to authenticate and perform group modifications. It is recommended to Encrypt these credentials using RCC's Encrypt tool.

  • Type: string
  • Required: Yes, if using --removeGroup
  • Permissions: Create a New API Role with the following permissions:
    • Update Static Computer Groups
    • Read Static Computer Groups
    • Create Computers
  • Example: 
    --clientId "..." OR --clientId "ENC:..."

--clientSecret [string]

Specifies the Client Secret for Jamf API authentication. Required if --removeGroup is used to authenticate and perform group modifications. It is recommended to Encrypt these credentials using RCC's Encrypt tool.

  • Type: string
  • Required: Yes, if using --removeGroup
  • Permissions: Create a New API Role with the following permissions:
    • Update Static Computer Groups
    • Read Static Computer Groups
    • Create Computers
  • Example: 
    --clientSecret "..." OR --clientSecret "ENC:..."

--domain [string]

Specifies the domain for setting options in local or managed plists.

  • Type: string
  • Default: tech.rocketman.tempadmin
  • Example: 
    --domain "tech.rocketman.customdomain"

--logo [path]

Path to a logo file for use in dialog boxes, useful for branding.

  • Type: string
  • Example: 
    --logo /path/to/logo.png

--width [string] and --height [string]

Sets the width and height of dialog boxes for customized user prompts.

  • Type: string
  • Default: None
  • Example: 
    --width 800 \
--height 400

--simulate

Enables preview mode, allowing users to view potential changes without applying them, which is useful for testing.

  • Type: boolean flag
  • Example: 
    --simulate

Optional Upload Log Parameters

--uploadDestination [sharepoint | s3 | gcs]

Defines the upload destination for logs collected during the admin session.

  • Type: string

  • Choices: sharepoint, s3, gcs

  • Default: s3

  • Example:

    --uploadDestination gcs

--uploadCredentialsPlistPath [string]

Path to the plist file with specific data and credentials for each type of upload destination.

  • Type: string

  • Choices:

    • gcs (clientEmail, privateKey, bucketName)
    • s3 (clientId, clientSecret, bucketName, region)
    • sharepoint (clientId, clientSecret, bucketName, sharepointSiteUrl)

  • Default: None

  • Example:

    --uploadCredentialsPlistPath /path/to/my/credentials-gcp.plist

--uploadFilePaths [list of strings]

Absolute paths of log files to include in the upload bundle.

  • Type: array

  • Required: Yes, when --uploadJamfLogGrabber is not set

  • Default: "/var/log/jamf.log"

  • Example:

    --uploadDestination s3 --uploadFilePaths /var/log/jamf.log /var/log/install.log

--uploadFileName [string]

Filename for the ZIP archive containing the logs.

  • Type: string

  • Default: upload-files

  • Example:

    --uploadFileName admin-session-logs

--uploadMaxFileSize [int]

Maximum allowed size (MB) per file in the upload bundle.

  • Type: integer

  • Default: 50

  • Example:

    --uploadMaxFileSize 100

--uploadJamfLogGrabber

Execute jamf log grabber script to automatic get all jamf important file to zip.

  • Type: bool

  • Required: No, defaults to false

  • Example:

    --uploadJamfLogGrabber

Advanced Usage Example

Below is an advanced managed plist that can be deployed through a Configuration Profile to the following domain: tech.rocketman.tempadmin

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>action</key>
    <string>promote</string>
    <key>timeMin</key>
    <integer>5</integer>
    <key>askReason</key>
    <string>Please state your reason for needing admin rights.</string>
    <key>removeGroup</key>
    <string>Temporary Admin Privileges</string>

    <!-- Jamf API credentials for group modifications -->
    <key>clientId</key>
    <string>...</string>
    <key>clientSecret</key>
    <string>ENC:...</string>

    <!-- Upload Jamf Logs integration -->
    <key>uploadDestination</key>
    <string>gcs</string>            <!-- one of "sharepoint", "s3", or "gcs" -->
    <key>uploadCredentialsPlistPath</key>
    <string>/path/to/my/credentials-gcp.plist</string>
    <key>uploadFilePaths</key>
    <array>
      <string>/var/log/jamf.log</string>
      <string>/var/log/rocketman.log</string>
    </array>
    <key>uploadFileName</key>
    <string>admin-session-logs</string>
    <key>uploadMaxFileSize</key>
    <integer>50</integer>           <!-- max MB per file -->
    <key>uploadJamfLogGrabber</key>
    <false />
  </dict>
</plist>

Important Notes

  • Jamf API Credentials: --clientId and --clientSecret are required when using --removeGroup.
  • Some files for debugging:
    • cat /Library/Preferences/tech.rocketman.tempadmin.plist
    • cat /Library/LaunchDaemons/tech.rocketman.tempadmin.plist
    • cat /var/log/tempadmin_error.log
    • cat /var/log/tempadmin.log
    • cat /var/log/rcc.log
    • launchctl list | grep tech.rocketman.tempadmin

Suggestions

  • Use the --simulate flag to test configurations before applying them in a live environment.
  • Deploy a configuration profile that locks key System Preferences panels during temporary admin periods. Scope it to the Temporary Admin static group so restrictions apply when users are added and lift when they're removed.

JSON Scheme

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Temporary Admin (tech.rocketman.tempadmin)",
  "description": "Configuration for RCC's Temporary Admin tool. For more information on how to use this tool, visit https://github.com/Rocketman-Tech/rcc/wiki/Temporary-Admin",
  "type": "object",
  "properties": {
    "timeMin": {
      "title": "Admin Rights Duration",
      "description": "Specifies the duration of admin rights in minutes.",
      "property_order": 4,
      "type": "integer",
      "default": 15
    },
    "askReason": {
      "title": "Ask For A Reason",
      "description": "Prompts the user with a custom question to justify their need for admin rights. The reason is logged for auditing purposes.",
      "property_order": 5,
      "type": "string",
      "default": "Please state your reason for needing admin rights."
    },
    "removeGroup": {
      "title": "Temporary Admin Static Group Name",
      "description": "Specifies the name of a static group from which the user will be removed after receiving admin rights, restricting future access.",
      "property_order": 6,
      "type": "string",
      "default": "Temporary Admin Rights"
    },
    "logo": {
      "title": "Path to Logo",
      "description": "Path to a logo file for use in dialog boxes, useful for branding.",
      "property_order": 8,
      "type": "string",
      "default": "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/GroupIcon.icns"
    },
    "clientId": {
      "title": "Client ID",
      "description": "Specifies the Client ID for Jamf API authentication. Required if --removeGroup is used to authenticate and perform group modifications. It is recommended to Encrypt these credentials using RCC's Encrypt tool.",
      "property_order": 10,
      "type": "string"
    },
    "clientSecret": {
      "title": "Client Secret",
      "description": "Specifies the Client Secret for Jamf API authentication. Required if --removeGroup is used to authenticate and perform group modifications. It is recommended to Encrypt these credentials using RCC's Encrypt tool. ",
      "property_order": 11,
      "type": "string"
    },
    "width": {
      "title": "Width",
      "description": "Width of dialog box displayed to the user.",
      "property_order": 12,
      "type": "string",
      "default": 400
    },
    "height": {
      "title": "Height",
      "description": "Height of dialog box displayed to the user.",
      "property_order": 13,
      "type": "string",
      "default": 200
    }
  },
  "additionalProperties": false
}

Introduction

Resources

Tools

Misc

Pipeline

Submit an Issue

Clone this wiki locally