Jamf Connect 2.33.0 adds a new account elevation feature that allows standard users to initiate temporary elevation operations. After being promoted to administrator, the top menu will display a countdown for this elevation. When the timer ends, the user’s account permissions will automatically be downgraded to standard users.
In the past, Jamf Pro customers could only use scripting strategies to temporarily escalate and degrade privileges, but this may be difficult for Jamf Pro administrators who are not familiar with scripting. If adjustments or troubleshooting are required, this may add another psychological barrier. In short, the scripting method requires administrators to have a certain understanding of Shell language, logical judgment, macOS escalation and demotion principles, LaunchAgent, LaunchDaemon, logging, etc.
If you have also purchased Jamf Connect products, then congratulations, you can use this feature immediately without paying extra. The key points of this feature are as follows:
- Allows a standard user to temporarily elevate to administrator.
- Users can be asked to select a reason for the privilege escalation.
- You can limit which users can perform temporary privilege escalation operations.
- You can set a time limit after the privilege escalation, and different users can have different time limits.
- A countdown can be displayed during a limited time.
- After the time limit expires, you will be automatically downgraded to a normal user.
- User privilege escalation records will be automatically saved in the log
When a user performs a privilege escalation operation, they need to select or enter a reason for the privilege escalation, which will facilitate the administrator’s subsequent review.
However, you may need to limit which users can perform privilege escalation operations, so you can require users to authenticate once to verify whether they have the privilege escalation permission. Taking Azure AD as an example, as shown in the figure below, if the identity verification is passed, the administrator permission will be obtained immediately, and the top menu will display the countdown to the privilege escalation.
If you want to easily view the user privilege escalation records, you can create Jamf Pro extended attributes, and then you can view the client computer’s privilege escalation user, privilege escalation reason, privilege escalation time and other logs in the Jamf Pro console.
If you would like to learn more about this feature or have any questions when using Jamf Connect products, please contact us.