first and foremost: I'm new to macOS scripting and rely heavily on the internet to get things done. I searched for a while but couldn't find a solution, so I'm asking here. Please tell me if this isn't the right place to ask.
I'm trying to build a script/launchD combo that is always running in the background searching for admins (other than System/Service Accounts). On a hit I want it to call a script which creates another LaunchD, which after 15min, removes said account from the admin group.
This is meant to be used with the Privileges.app which user can use to grant themselves admin privileges, and remove them after said time window. I'm aware that Privileges.app has an option in the config profile to enable this, however it only works if you right click the dock icon and toggle it from there, which doesn't work because I enabled other options in said config that disable this way of toggling the privileges.
Creating and deploying the launchD via script works flawless, the 2nd launchD on a hit also gets created w/o an issue. It works if the Mac stays unlocked. As soon as the Mac gets locked, even if only for a few seconds, the launchD doesn't work anymore, even though launchctl shows it is loaded.
The devices are managed / supervised devices. The issues doesn't change if I deploy the script via MDM or manually execute it via sudo bash.
I made sure to create a global launchDeamon, not a launchAgent. I also made sure the launchD is loaded using launchctl list.
Disk sleep is disabled. StandardOutPath / StandardErrorPath with Debug enabled don't show anything because the log isn't being created.
Here's the full script:
#!/bin/bash
sudo defaults write /Library/LaunchDaemons/admincheck.plist Label -string "admincheck"
sudo defaults write /Library/LaunchDaemons/admincheck.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/com.mobileiron.mac.agent/admincheck.sh"
sudo defaults write /Library/LaunchDaemons/admincheck.plist RunAtLoad -boolean yes
sudo defaults write /Library/LaunchDaemons/admincheck.plist KeepAlive -boolean yes
sudo defaults write /Library/LaunchDaemons/admincheck.plist StandardOutPath "/var/log/admincheck.log"
sudo defaults write /Library/LaunchDaemons/admincheck.plist StandardErrorPath "/var/log/admincheck.log"
sudo defaults write /Library/LaunchDaemons/admincheck.plist Debug -boolean true
sudo chown root:wheel /Library/LaunchDaemons/admincheck.plist
sudo chmod 644 /Library/LaunchDaemons/admincheck.plist
launchctl load /Library/LaunchDaemons/admincheck.plist
sleep 10
cat << 'EOF' > /Library/Application\ Support/com.mobileiron.mac.agent/admincheck.sh
#!/bin/bash
sleep 25
localadmin=$(dscacheutil -q group -a name admin | awk '$1 == "users:" { for (i=2; i<=NF; i++) { if ($i != "root") { print $i } } }')
if [ -z "$localadmin" ]; then
while [ -z "$localadmin" ]; do
sleep 60
localadmin=$(dscacheutil -q group -a name admin | awk '$1 == "users:" { for (i=2; i<=NF; i++) { if ($i != "root") { print $i } } }')
if [ -n "$localadmin" ]; then
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/com.mobileiron.mac.agent/removeAdminRights.sh"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 900
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardOutPath "/var/log/removeAdmin.log"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardErrorPath "/var/log/removeAdmin.log"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Debug -boolean true
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 5
cat << 'EOF1' > /Library/Application\ Support/com.mobileiron.mac.agent/removeAdminRights.sh
#!/bin/bash
localuser=$(dscl . list /Users | grep -v "^_\|daemon\|root\|nobody\|admin")
for User in $localuser
do
/usr/sbin/dseditgroup -o edit -d "$User" -t user admin
done
sudo launchctl load /Library/LaunchDaemons/admincheck.plist
sleep 2
sudo launchctl unload /Library/LaunchDaemons/removeAdmin.plist
EOF1
sudo launchctl unload /Library/LaunchDaemons/admincheck.plist
fi
done
else
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/com.mobileiron.mac.agent/removeAdminRights.sh"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 900
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardOutPath "/var/log/removeAdmin.log"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardErrorPath "/var/log/removeAdmin.log"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Debug -boolean true
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 5
cat << 'EOF2' > /Library/Application\ Support/com.mobileiron.mac.agent/removeAdminRights.sh
#!/bin/bash
localuser=$(dscl . list /Users | grep -v "^_\|daemon\|root\|nobody\|admin")
for User in $localuser
do
/usr/sbin/dseditgroup -o edit -d "$User" -t user admin
done
sudo launchctl load /Library/LaunchDaemons/admincheck.plist
sleep 2
sudo launchctl unload /Library/LaunchDaemons/removeAdmin.plist
EOF2
sudo launchctl unload /Library/LaunchDaemons/admincheck.plist
fi
EOF
exit 0
Please tell me what I can do to get it running whilst the Mac is locked.
tyvm in advance!
So, figured I'd share what I did in case someone runs into the same issue. Instead of using launchd to create another launchd which in turn then calls the script to demote the user after the startinterval is over, I've switched to using atrun. I'm now creating a launchd that periodically checks if changes to the admin group have been made and, if detected, creates a job via atrun to demote the user after x minutes. This works perfectly even when screen is locked / system shut down / rebooted.
EDIT: grammar