MakeMeAnAdmin VS macOS-enterprise-privileges

im trying to use the MakeMeAdmin for MacOSX ( GitHub - jamf/MakeMeAnAdmin: Provides temporary admin access for a standard user via Jamf Self Service )

I'm looking for some solution to grant user temp admin rights (for example 10 minutes). I tried to do this similarly as I do it with Jamf, take that script, pack it as a .pkg*, and allow users to install it to get 10 minutes of local admin. With Jamf it works like a charm, tests with manual installation are positive too (manual I mean run it as a root on my test MacBook). Unfortulently Intune deployment won't work. It stops at downloading status and nothing happens. To create an installation package I use Jamf Composer.

My school MacBook used to have a make me an admin command in Self Service, but for obvious reason it was removed. I have seen a few other kids use a script to route presumably https://github.com/jamf/MakeMeAnAdmin through self service allowing it to execute a sudo command. When I try to run the script on it’s own it asks for a Sudo password which I obviously don’t have. Does anybody know how I could write this script or know how to get this script to run? Thanks

Before the release of Monterey, I was experimenting with krypted's MakeMeAnAdmin script. After the release of Monterey, I started noticing issues with the script, especially when executed on Apple Silicon Macs. Then, I discovered geekquixotic's MakeMeAnAdmin Script. The script seems to work very well for elevation and removal of privileges, but I'm having some trouble getting the logging and the group removal feature working. I'm hoping someone else uses this variation of MakeMeAnAdmin and can help me figure out what I might be doing wrong.

For a real-world example, look at Jamf’s own “MakeMeAnAdmin” script (https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh). This is designed to do exactly what I describe above, but it doesn’t work for me on Monterey or on Big Sur. The LaunchDaemon is never actually removed from /Library/LaunchDaemons after it gets unloaded and the script is not deleted either.

Also, if you need them to have admin rights, you can use something like https://github.com/SAP/macOS-enterprise-privileges

> For technically-inclined users, I'm still largely unconvinced of the value of SIP.

Problem is technically-inclined users are the ones most likely to not be running "defense in depth" and therefore susceptible to zero days such as the H.264->code execution discussion earlier this week.

Arguably, technically-inclined users participating in the software supply chain should go beyond SIP and run in Lockdown mode permanently, both on the dev machine and any mobile devices used for MFA, or at the very least self-install SAP's "Privileges" or equivalent that requires a deliberate unlock to act as Administrator.

https://github.com/SAP/macOS-enterprise-privileges

This helps* prevent drive-bys with persistent payloads without the extra attack surface that is commercial AV or anti-malware.

* Helps prevent, not prevents.