Description
The Jamf Connect Menu Bar app allows standard users to initiate a temporary elevation to a local administrator. The user that is elevated is able to conduct any actions available to local administrators during the temporary elevation session. When the elevation session ends the user will be returned to a standard user.
Minimal authentication to get Privilege Elevation working with Jamf Connect is relatively straight forward. Add the following dictionary and key combination to the Jamf Connect Menubar plist:
<key>TemporaryUserPermissions</key> <dict> <key>TemporaryUserPromotion</key> <true/> </dict>
This article provides three options for configuring and deploying an additional Menu Bar configuration profile with only the Privilege Elevation settings. This provides the options to remove the Privilege Elevation settings from users at any time but retaining the regular Jamf Connect Menu Bar settings.
Configuring and Deploying Additional Menu Bar Profile
Privilege Elevation Workflows:
Option 1: Using the Jamf Pro built-in repository
In Jamf Pro navigate to Computers > Configuration Profiles > New.
Configure the Display Name. In this example Jamf Connect Menubar Privilege Elevation options is used. The Category and Site can be configured at this time if needed.
Select the Applications & Custom Settings payload > Jamf Applications > + Add.
Configure the following:
Jamf Application Domain: com.jamf.connect
Version: the targeted version of Jamf Connect
Variant: Jamf Connect.json
Click Add/Remove properties, then deselect Identity Provider Preferences and select Privilege Elevation Preferences.
Click Apply.
Click the dropdown box to switch the setting for Temporary User Promotion to true.
We recommend only configuring the Temporary User Promotion key for the initial test and then add additional keys as needed. When you are ready to add more keys select the Add/Remove Properties button to configure the options that are looking to be added followed by the Apply button.
Click Scope and add desired test computers to the profile scope for initial testing.
Click Save.
Option 2: Using the Jamf Connect Configuration application
Utilizing a Mac, if the Jamf Connect Configuration Application has not already been downloaded and installed follow these steps:
Navigate to https://account.jamf.com/products/jamf-connect/download and sign-in.
Select the targeted version of Jamf Connect followed by the Download button. This triggers the Jamf Connect DMG to download.
Open the DMG and accept the terms and conditions.
In the window that opens the Jamf Connect Configuration Application can be opened or moved to the Applications folder.
Once the Jamf Connect Configuration Application is opened, utilize the + (plus) button to create a new configuration.
Select the Connect tab and scroll down to the Temporary User Permissions section. Configure only the needed options.
It is recommended to configure only the Temporary User Promotion key for the initial test and then add additional keys as needed.
Do not configure the Admin Attribute section. This is done in the production
Jamf Connect Menubar plist which will be talked about more later in-depth.
Select the </> (codeblock) button in the upper right hand corner to confirm the plist only contains keys related to Privilege Elevation.
Select the Save button at the top of the Jamf Connect Configuration Application window.
In the save window that opens, select the Jamf Connect option under the Application section and Property List .plist under the file format section followed by Save.
In the Save dialog box thats prompted, label the plist and save it to a location.
In Jamf Pro navigate to Computers > Configuration Profiles > New.
Configure the Display Name. In this example Jamf Connect Menubar Privilege Elevation Options is used. The Category and Site can be configured at this time if needed.
Select the Applications & Custom Settings payload > Upload > + Add.
Fill in the Preference Domain:
com.jamf.connect
Select the upload button, select the saved plist from step 7, and click +Open.
Click Scope and add desired test computers to the profile scope for initial testing.
Click Save.
Option 3: Copying and customizing the example plist from the Jamf Connect Documentation
Create a new profile in Jamf Pro by going to Computers > Configuration Profiles > New.
Configure the Display Name. In this example Jamf Connect Menubar Privilege Elevation Options is used. The Category and Site can be configured at this time if needed.
Select the Applications & Custom Settings payload > Upload > + Add.
For the Preference Domain input com.jamf.connect.
In the Property List section of the payload, paste in plist below (taken from the Configuring macOS Privilege Elevation using Jamf Connect section of the Jamf Connect documentation) and modify it to fit the desired results for Privilege Elevation.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TemporaryUserPermissions</key> <dict> <key>TemporaryUserPromotion</key> <true/> <key>UserPromotionDuration</key> <integer>10</integer> <key>UserPromotionReason</key> <true/> <key>UserPromotionTimer</key> <true/> <key>VerifyUserPromotion</key> <false/> <key>UserPromotionChoices</key> <array> <string>Hardware Driver or Install</string> <string>Xcode or Software Development Tasks</string> </array> </dict> </dict> </plist>
Click Scope and add desired test computers to the profile scope for initial testing.
Click Save.
Additional Information
If using the UserPromotionRole
key, please note:
Google does not support role based privilege elevation
VerifyUserPromotion
orVerifyUserPromotionFIDO2
keys must be set to trueTo specify which user roles (or groups for Okta) from an ID token should be used to promote users, the Admin Attribute
OIDCAdminAttribute
key needs to be configured in theIdPSettings
dictionaryTo ensure the correct groups or roles are captured in the ID Token, configure the
Scopes
key in theIdPSettings
dictionaryWith most IdP's the following additional claims can be added to the Scopes keypair: openid email profile groups
<key>IdPSettings</key> <dict> <key>OIDCAdminAttribute</key> <string>groups</string> <key>Scopes</key> <string>openid email profile groups</string> </dict>