Skip to main content

Deploying Privilege Elevation Settings From Jamf Connect

Updated over 3 weeks ago

Description

The Jamf Connect Menu Bar app allows standard users to initiate a temporary elevation to a local administrator. The user that is elevated is able to conduct any actions available to local administrators during the temporary elevation session. When the elevation session ends the user will be returned to a standard user.

Minimal authentication to get Privilege Elevation working with Jamf Connect is relatively straight forward. Add the following dictionary and key combination to the Jamf Connect Menubar plist:

<key>TemporaryUserPermissions</key> <dict> <key>TemporaryUserPromotion</key> <true/> </dict>


This article provides three options for configuring and deploying an additional Menu Bar configuration profile with only the Privilege Elevation settings. This provides the options to remove the Privilege Elevation settings from users at any time but retaining the regular Jamf Connect Menu Bar settings.

Configuring and Deploying Additional Menu Bar Profile

Privilege Elevation Workflows:

Option 1: Using the Jamf Pro built-in repository

  1. In Jamf Pro navigate to Computers > Configuration Profiles > New.

  2. Configure the Display Name. In this example Jamf Connect Menubar Privilege Elevation options is used. The Category and Site can be configured at this time if needed.

  3. Select the Applications & Custom Settings payload > Jamf Applications > + Add.

  4. Configure the following:

    • Jamf Application Domain: com.jamf.connect

    • Version: the targeted version of Jamf Connect

    • Variant: Jamf Connect.json

  5. Click Add/Remove properties, then deselect Identity Provider Preferences and select Privilege Elevation Preferences.

  6. Click Apply.

  7. Click the dropdown box to switch the setting for Temporary User Promotion to true.

  8. We recommend only configuring the Temporary User Promotion key for the initial test and then add additional keys as needed. When you are ready to add more keys select the Add/Remove Properties button to configure the options that are looking to be added followed by the Apply button.

    This photo shows you the page you will find in Jamf Pro where you can edit your Privilege Elevation Preferences.

  9. Click Scope and add desired test computers to the profile scope for initial testing.

  10. Click Save.

Option 2: Using the Jamf Connect Configuration application

This photo shows what your Jamf Connect Configuration platform should look like.
  1. Utilizing a Mac, if the Jamf Connect Configuration Application has not already been downloaded and installed follow these steps:

    1. Select the targeted version of Jamf Connect followed by the Download button. This triggers the Jamf Connect DMG to download.

    2. Open the DMG and accept the terms and conditions.

    3. In the window that opens the Jamf Connect Configuration Application can be opened or moved to the Applications folder.

  2. Once the Jamf Connect Configuration Application is opened, utilize the + (plus) button to create a new configuration.

  3. Select the Connect tab and scroll down to the Temporary User Permissions section. Configure only the needed options.

    • It is recommended to configure only the Temporary User Promotion key for the initial test and then add additional keys as needed.

    • Do not configure the Admin Attribute section. This is done in the production

      Jamf Connect Menubar plist which will be talked about more later in-depth.

  4. Select the </> (codeblock) button in the upper right hand corner to confirm the plist only contains keys related to Privilege Elevation.

  5. Select the Save button at the top of the Jamf Connect Configuration Application window.

  6. In the save window that opens, select the Jamf Connect option under the Application section and Property List .plist under the file format section followed by Save.

    This photo shows you where to correctly select your Application and File format.

  7. In the Save dialog box thats prompted, label the plist and save it to a location.

  8. In Jamf Pro navigate to Computers > Configuration Profiles > New.

  9. Configure the Display Name. In this example Jamf Connect Menubar Privilege Elevation Options is used. The Category and Site can be configured at this time if needed.

  10. Select the Applications & Custom Settings payload > Upload > + Add.

  11. Fill in the Preference Domain: com.jamf.connect

  12. Select the upload button, select the saved plist from step 7, and click +Open.

    This photo shows you where to put your plist.

  13. Click Scope and add desired test computers to the profile scope for initial testing.

  14. Click Save.

Option 3: Copying and customizing the example plist from the Jamf Connect Documentation

  1. Create a new profile in Jamf Pro by going to Computers > Configuration Profiles > New.

  2. Configure the Display Name. In this example Jamf Connect Menubar Privilege Elevation Options is used. The Category and Site can be configured at this time if needed.

  3. Select the Applications & Custom Settings payload > Upload > + Add.

  4. For the Preference Domain input com.jamf.connect.

  5. In the Property List section of the payload, paste in plist below (taken from the Configuring macOS Privilege Elevation using Jamf Connect section of the Jamf Connect documentation) and modify it to fit the desired results for Privilege Elevation.

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TemporaryUserPermissions</key> <dict> <key>TemporaryUserPromotion</key> <true/> <key>UserPromotionDuration</key> <integer>10</integer> <key>UserPromotionReason</key> <true/> <key>UserPromotionTimer</key> <true/> <key>VerifyUserPromotion</key> <false/> <key>UserPromotionChoices</key> <array> <string>Hardware Driver or Install</string> <string>Xcode or Software Development Tasks</string> </array> </dict> </dict> </plist>
  6. Click Scope and add desired test computers to the profile scope for initial testing.

  7. Click Save.


​Additional Information

If using the UserPromotionRole key, please note:

  • Google does not support role based privilege elevation

  • VerifyUserPromotion or VerifyUserPromotionFIDO2 keys must be set to true

  • To specify which user roles (or groups for Okta) from an ID token should be used to promote users, the Admin Attribute OIDCAdminAttribute key needs to be configured in the IdPSettings dictionary

  • To ensure the correct groups or roles are captured in the ID Token, configure the Scopes key in the IdPSettings dictionary

    • With most IdP's the following additional claims can be added to the Scopes keypair: openid email profile groups

<key>IdPSettings</key> <dict> <key>OIDCAdminAttribute</key> <string>groups</string> <key>Scopes</key> <string>openid email profile groups</string> </dict>

Did this answer your question?