MakeMeAnAdmin VS macOSLAPS

im trying to use the MakeMeAdmin for MacOSX ( GitHub - jamf/MakeMeAnAdmin: Provides temporary admin access for a standard user via Jamf Self Service )

I'm looking for some solution to grant user temp admin rights (for example 10 minutes). I tried to do this similarly as I do it with Jamf, take that script, pack it as a .pkg*, and allow users to install it to get 10 minutes of local admin. With Jamf it works like a charm, tests with manual installation are positive too (manual I mean run it as a root on my test MacBook). Unfortulently Intune deployment won't work. It stops at downloading status and nothing happens. To create an installation package I use Jamf Composer.

My school MacBook used to have a make me an admin command in Self Service, but for obvious reason it was removed. I have seen a few other kids use a script to route presumably https://github.com/jamf/MakeMeAnAdmin through self service allowing it to execute a sudo command. When I try to run the script on it’s own it asks for a Sudo password which I obviously don’t have. Does anybody know how I could write this script or know how to get this script to run? Thanks

Before the release of Monterey, I was experimenting with krypted's MakeMeAnAdmin script. After the release of Monterey, I started noticing issues with the script, especially when executed on Apple Silicon Macs. Then, I discovered geekquixotic's MakeMeAnAdmin Script. The script seems to work very well for elevation and removal of privileges, but I'm having some trouble getting the logging and the group removal feature working. I'm hoping someone else uses this variation of MakeMeAnAdmin and can help me figure out what I might be doing wrong.

For a real-world example, look at Jamf’s own “MakeMeAnAdmin” script (https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh). This is designed to do exactly what I describe above, but it doesn’t work for me on Monterey or on Big Sur. The LaunchDaemon is never actually removed from /Library/LaunchDaemons after it gets unloaded and the script is not deleted either.

LAPS isn't natively supported but once again there's a third-party solution

As others have mentioned, a second account with admin privileges might be your best bet. If you're going to go that route, you may want to implement macoslaps along with that. Macoslaps randomizes the local admin password which comes in handy if you need to give the password to someone. It used to be only for Active Directory joined Macs but now can be used without an active directory (via MDM). Here's the link for more info: This goes on the clients - https://github.com/joshua-d-miller/macOSLAPS

We use MacOSLAPS on our Mac clients to randomize the admin password on those machines: https://github.com/joshua-d-miller/macOSLAPS

And that implementation is why when I set this up at $oldJob I set the RemovePassChars key to all ambiguous characters I had run into on the Microsoft product.

I believe setting something like macOSLAPS up will also resolve the issue since the automatically created local account would authenticate and update it's password silently.

There are a variety of alternatives, such as https://github.com/joshua-d-miller/macOSLAPS