-
Notifications
You must be signed in to change notification settings - Fork 339
Managing Admin Rights With Munki
How to manage local administrative rights for users and groups with Munki.
There is a simple way to manage users and groups who need local admin rights on specific client machines or groups of client machines using Munki.
Benefits of managing local admin rights using this method:
- Faster: Add and remove users and groups to and from the local admin group on machines in an automated-fashion.
- Secure: Ability to track and audit who has admin rights on machines, and remove those rights if necessary.
We are going to create a script that will do a few things. It will either add a user or a group to the local admin group on a machine. The script will then create an uninstall script and place it on the target system. This script can then be called by Munki to remove the user's or group's admin rights from the machine. The script will also create a file that Munki will use to check if the package is installed.
Steps:
-
Create a postflight script for a package that will be installed using Munki. This is the script I made that you can use or modify if you deem it necessary:
#!/bin/sh # (c) 2010 Walter Meyer SUNY Purchase College # Add a user or group to the administrators group on a workstation in a "Munki-Friendly" way. # Change one variable, either the USER or GROUP that you want to give administrative rights to. # Make sure to leave one variable empty depending on whether you are adding a user or group. USER="some.user" GROUP="" # Create a directory to store the files we will need. /bin/mkdir -p /Library/Scripts/Administrative-Rights # Add the USER or GROUP to the local admin group. if [ -n "${USER}" ]; then /usr/sbin/dseditgroup -o edit -n /Local/Default -a $USER -t user admin # Create a file based on what user or group is getting admin rights that Munki can checksum. /bin/echo "$USER" > /Library/Scripts/Administrative-Rights/granted-admin-rights_$USER # Create script that can be used by Munki to remove the user from the admin group. uninstall_script="/Library/Scripts/Administrative-Rights/remove-admin-rights_$USER.sh" /bin/echo "#!/bin/sh" > "$uninstall_script" /bin/echo "/usr/sbin/dseditgroup -o edit -n /Local/Default -d $USER -t user admin" >> "$uninstall_script" /bin/echo "/usr/bin/srm /Library/Scripts/Administrative-Rights/granted-admin-rights_$USER" >> "$uninstall_script" /bin/echo "/usr/bin/srm /Library/Scripts/Administrative-Rights/remove-admin-rights_$USER.sh" >> "$uninstall_script" /bin/echo "exit 0" >> "$uninstall_script" else /usr/sbin/dseditgroup -o edit -n /Local/Default -a $GROUP -t group admin # Create a file based on what user or group is getting admin rights that Munki can checksum. /bin/echo "$GROUP" > /Library/Scripts/Administrative-Rights/granted-admin-rights_$GROUP # Create script that can be used by Munki to remove the user from the admin group. uninstall_script="/Library/Scripts/Administrative-Rights/remove-admin-rights_$GROUP.sh" /bin/echo "#!/bin/sh" > "$uninstall_script" /bin/echo "/usr/sbin/dseditgroup -o edit -n /Local/Default -d $GROUP -t group admin" >> "$uninstall_script" /bin/echo "/usr/bin/srm /Library/Scripts/Administrative-Rights/granted-admin-rights_$GROUP" >> "$uninstall_script" /bin/echo "/usr/bin/srm /Library/Scripts/Administrative-Rights/remove-admin-rights_$GROUP.sh" >> "$uninstall_script" /bin/echo "exit 0" >> "$uninstall_script" fi # Permission the directory properly. /usr/sbin/chown -R root:admin /Library/Scripts/Administrative-Rights /bin/chmod -R 700 /Library/Scripts/Administrative-Rights exit 0
-
Make a package that contains the postflight script. I recommend using The Luggage to build the package, but you don't have to. http://wiki.github.com/unixorn/luggage/
-
Add the package to munki and run makepkginfo on the package you made.
-
Install the package on a test workstation. Then run the following command (if you used my script):
makepkginfo -f /Library/Scripts/Administrative-Rights/granted-admin-rights_some.user
Take the installs key information and append it to your pkginfo file you created.
-
Next change the uninstall_method key in the pkginfo file to look like this:
<key>uninstall_method</key> <string>/Library/Scripts/Administrative-Rights/remove-admin-rights_some.user.sh</string>
- Getting Started
- Overview
- Discussion Group
- Demonstration Setup
- Glossary
- Frequently Asked Questions
- Contributing to Munki
- Release Notes
- Introduction
- Managed Software Center in Munki 5.2
- Manual Apple Updates
- force_install_after_date for Apple Updates
- Additional update encouragement
- Aggressive update notifications
- AggressiveUpdateNotificationDays preference
- Additional Munki 5 changes
- Configuration profile notes
- Major macOS upgrade notes
- Upgrading to Munki 5
- Introduction
- Munki Links
- Product Icons
- Screenshots In Product Descriptions
- Client Customization
- Custom Help Content
- Featured Items
- Update Notifications:
- Introduction
- iconimporter
- makepkginfo
- munkiimport
- managedsoftwareupdate
- makecatalogs
- manifestutil
- repoclean
- Preferences
- Default Repo Detection
- Default Manifest Resolution
- Managed Preferences Support In Munki
- Apple Software Updates With Munki
- Pkginfo Files
- Supported Pkginfo Keys
- Pre And Postinstall Scripts
- Munki And AutoRemove
- Blocking Applications
- ChoiceChangesXML
- CopyFromDMG
- nopkg items
- How Munki Decides What Needs To Be Installed
- Default Installs
- Removal of Unused Software
- Upgrading macOS:
- Apple Updates:
- Securing the Munki repo
- Preflight And Postflight Scripts
- Report Broken Client
- MSC Logging
- Munki With Git
- Bootstrapping With Munki
- License Seat Tracking
- LaunchD Jobs and Changing When Munki Runs
- Web Request Middleware
- Repo Plugins
- Downgrading Software
- Downgrading Munki tools
- Authorized Restarts
- Allowing Untrusted Packages
- About Munki's Embedded Python
- Customizing Python for Munki
- Configuration Profile Emulation
- PPPC Privacy permissions
- AutoPkg
- Repackaging
- Creating Disk Images
- Stupid Munki Tricks
- Troubleshooting
- Professional Support
- Known Issues and Workarounds
- Building Munki packages
- Munki packages and restarts
- Signing Munki
- Removing Munki
- More Links And Tools
- Munki Configuration Script
- Who's Using Munki
- Munki 3 Information
- Munki 4 Information
- macOS Monterey Info
- Pkginfo For Apple Software Updates
- Managing Configuration Profiles
- Microsoft Office
- Adobe Products
- Upgrading macOS: