Temp Admin allows Addigy admins to temporarily elevate a user's account permissions on a macOS machine from standard to administrator for a set amount of time. This allows the end user to perform tasks that require admin privileges, without making them an administrator full time on the machines. The Temp Admin feature is only available in GoLive for macOS Devices.
Table of Contents
- Requirements
- Viewing the Users in GoLive
- Elevating a User with Temp Admin
- Viewing Temp Admin Statuses
- Viewing and Modifying an Active Temp Admin Session
- Viewing and Modifying a Scheduled Temp Admin Session
- Temp Admin Session Time Considerations
- Temp Admin Logging
- Temp Admin Events
- Multiple Temp Admin Sessions
- End User Experience
- Tips and Tricks
Requirements
- macOS 11.x+
- Device must be online with a standard account
Viewing the Users in GoLive
1. On a device's GoLive page, select the Users tab. A list of user accounts on the macOS will populate.
Note: To be shown on the GoLive page, user accounts must have a user ID between 501 and 599. The device must be online for user accounts to be shown.
The Users tab in GoLive displays whether a user is an admin on the computer and whether they have a secure token, by showing the relevant tag.
Elevating a User with Temp Admin
- Click the three dots to the right of the user we wish to elevate, in the Actions column
- Choose the TempAdmin button from the drop-down
- When the Temp Admin Modal appears, select the desired settings:
Start Time: Immediately starts the Temp Admin session on the device for that user. Scheduled allows a date and time in the future for the Temp Admin session to start, with the option of it being in browser time or device local time.
Duration: How long the Temporary Admin session will last- this will be a minimum of 10 mins and a maximum of 60 mins.
Reason: Optional field to record why the user is being elevated. This will be recorded in the associated Temp Admin events for this escalation.
- Hit the Promote button to confirm the Temp Admin settings
Viewing Temp Admin Statuses
Temp Admin statuses are displayed as a tag next to the user. It will be Green if there is an active Temp Admin session and Yellow if there is a session scheduled.
Sessions can be modified if they are active or scheduled by clicking the Temp Admin button in the Actions or by clicking the Temp Admin tag directly.
This is an example of an active Temp Admin session.
This is an example of a scheduled Temp Admin session
Viewing and Modifying an active Temp Admin session
Viewing an active Temp Admin session can be accomplished by either clicking the three dots in the actions menu next to the user or by clicking on the green TempAdmin tag next to the user. This will bring up the Modal with the information of the current and active Temp Admin session
The Start and End time are recorded in the server time and the local devices time, whether it was scheduled using the device local time or browser time, the duration of the Temp Admin session, and the reason for the escalation. There is also a reminder on where the Temp Admin logs are located, and a place to give feedback on the feature.
The Temp Admin session can be terminated early at any time, there is no minimum time that needs to pass for the session to be cancelled manually. This can be accomplished by clicking the red cancel TempAdmin button in the lower right-hand corner. To close the modal without cancelling the active session, click the close button in the lower left corner.
If the session is scheduled - you should see a spinning wheel next to the User as Addigy demotes and confirms the user is no longer a Temp Admin. Once it is confirmed, the user tab will reload and the TempAdmin tag will disappear.
Viewing and Modifying a Scheduled Temp Admin Session
Viewing a scheduled Temp Admin session can be accomplished by either clicking the three dots in the actions menu next to the user or by clicking on the Yellow Scheduled TempAdmin tag next to the user. This will bring up the Modal with the information of the currently scheduled Temp Admin session.
The Scheduled Start and End times are displayed in the modal, along with the duration of the Temp Admin session and the reason. The log location and feature feedback button are also present in this modal. This schedule can be modified easily by either choosing a new time and date or by starting the session immediately. To save these changes, click save in the lower right.
The scheduled session can be cancelled by clicking the red Cancel TempAdmin button in the lower right. To close without making any changes, click the close button in the lower left corner.
Temp Admin Session Time Considerations
The user session can be elevated for a minimum of 10 mins and a maximum of 60 mins. The Temp Admin session can be started immediately, or it can be scheduled ahead of time - either using the browser time or device local time. This allows for the flexibility to make a user an admin immediately, or scheduling ahead for a known IT working session or onboarding.
Temp Admin Logging
Temp Admin pulls out information from the unified system logs and stores it locally on the device for every user session. These logs can vary in size depending on how many things the user is doing, and how long the session is.
These logs are stored at: /private/var/log/temp-admin
The file is stored as a gzip file, and when unzipped will be a .log file. They are named automatically by the username of the user that had the Temp Admin session and the time and date of the session, including timezone.
These logs are pulled once the Temp Admin session has ended, because of this please allow a few minutes for them to be gathered and appear in this directory. For more information on the processes we are gathering, or feedback for what other processes and event messages from unified logging, please reach out to Addigy Support or use the Feedback button in the Temp Admin modals.
Temp Admin Events
Addigy logs Events both on the devices GoLive page and in the System Events for Temp Admin. The following Temp Admin sessions are recorded:
- Temp Admin session is scheduled
- Temp Admin session is started
- Temp Admin session is ended
- Temp Admin session is cancelled
- An Addigy user queues the Temp Admin command
If a reason is provided for the Temp Admin session, this is included in the corresponding event's information.
Multiple Temp Admin Sessions
Multiple Temp Admin sessions can be scheduled and active on a MacOS device for different users. However, only one session can be scheduled per user. For example, if you have a shared device with different macOS user accounts - different Temp Admin sessions can be scheduled throughout the day. However, a macOS User account can only have one temp admin session scheduled for it.
End User Experience
End Users receive 3 notifications during a Temp Admin experience. One for when the session is scheduled, a five minute warning, and when the session has ended. All prompts use the Self Service application and display the logo that is configured for Self Service. To learn more on how to configure Self Service for macOS please refer to Self Service for Mac.
Temp Admin session start
Users are presented with this prompt informing them that they have been temporarily promoted to an admin for the duration that is set. In this example, the admin session is a minimum of 10 mins, however that duration is taken from the Temp Admin settings and can go up to 60 mins. This prompt is visible for 20 seconds and can either be closed by the user, or it will close automatically.
Temp Admin session ending soon
Five minutes before the Temp Admin session ends, the end user is presented with this prompt - also for 20 seconds. This is a reminder that their privileges are temporary and they are ending soon - the user should begin to wrap up what they are working on. This prompt can be dismissed by clicking OK or it will close automatically.
Temp Admin session end
When the Temp Admin session has ended and the user was demoted - they receive the final notification informing them that they no longer have admin privileges. They can dismiss the prompt by clicking OK, or it will close automatically after 20 seconds.
Tips and Tricks
API v2
Temp Admin has two API v2 endpoints that can be used with scripts or other automations that may exist in an environment. These endpoints can be used to start a Temp Admin session immediately, to schedule a session for the future, and to cancel an active and/or scheduled Temp Admin session. They can be found here: https://api.addigy.com/api/v2/documentation/#/temp-admin
Useful Terminal commands
- Temp Admin is included in user-manager version 47+. This command will show what version is currently installed on the device
/Library/Addigy/user-manager --version
- This command will show a list of what Temp Admin sessions are active or scheduled on a machine. This can be used in conjunction with scripts or monitoring items in Addigy. Note: Use the option -json flag at the end of the command to receive the response in json
sudo /Library/Addigy/user-manager -temp-admin -list