TempAdmin allows Addigy admins to temporarily elevate a user's account permissions on a macOS machine from standard to administrator for a set amount of time. This allows the end user to perform tasks that require admin privileges, without making them an administrator full time on the machines. The TempAdmin feature is only available in GoLive for macOS Devices.
Table of Contents
- Requirements
- Viewing the Users in GoLive
- Elevating a User with TempAdmin
- Viewing TempAdmin Statuses
- Viewing and Modifying an Active TempAdmin Session
- Viewing and Modifying a Scheduled TempAdmin Session
- TempAdmin Session Time Considerations
- TempAdmin Logging
- TempAdmin Events
- Multiple TempAdmin Sessions
- End User Experience
- Tips and Tricks
Requirements
- macOS 11.x+
- Device must be online with a standard account
Viewing the Users in GoLive
1. On a device's GoLive page, select the Users tab. A list of user accounts on the macOS will populate.
Note: To be shown on the GoLive page, user accounts must have a user ID between 501 and 599. The device must be online for user accounts to be shown.
The Users tab in GoLive displays whether a user is an admin on the computer and whether they have a secure token, by showing the relevant tag.
Elevating a User with TempAdmin
- Click the three dots to the right of the user we wish to elevate, in the Actions column
- Choose the TempAdmin button from the drop-down
- When the TempAdmin Modal appears, select the desired settings:
Start Time: Immediately starts the TempAdmin session on the device for that user. Scheduled allows a date and time in the future for the TempAdmin session to start, with the option of it being in browser time or device local time.
Duration: How long the Temporary Admin session will last- this will be a minimum of 10 mins and a maximum of 60 mins.
Reason: Optional field to record why the user is being elevated. This will be recorded in the associated TempAdmin events for this escalation.
- Hit the Promote button to confirm the TempAdmin settings
Viewing TempAdmin Statuses
TempAdmin statuses are displayed as a tag next to the user. It will be Green if there is an active TempAdmin session and Yellow if there is a session scheduled.
Sessions can be modified if they are active or scheduled by clicking the TempAdmin button in the Actions or by clicking the TempAdmin tag directly.
This is an example of an active TempAdmin session.
This is an example of a scheduled TempAdmin session
Viewing and Modifying an active TempAdmin session
Viewing an active TempAdmin session can be accomplished by either clicking the three dots in the actions menu next to the user or by clicking on the green TempAdmin tag next to the user. This will bring up the Modal with the information of the current and active TempAdmin session
The Start and End time are recorded in the server time and the local devices time, whether it was scheduled using the device local time or browser time, the duration of the TempAdmin session, and the reason for the escalation. There is also a reminder on where the TempAdmin logs are located, and a place to give feedback on the feature.
The TempAdmin session can be terminated early at any time, there is no minimum time that needs to pass for the session to be canceled manually. This can be accomplished by clicking the red cancel TempAdmin button in the lower right-hand corner. To close the modal without canceling the active session, click the close button in the lower left corner.
If the session is scheduled - you should see a spinning wheel next to the User as Addigy demotes and confirms the user is no longer a TempAdmin. Once it is confirmed, the user tab will reload and the TempAdmin tag will disappear.
Viewing and Modifying a Scheduled TempAdmin Session
Viewing a scheduled TempAdmin session can be accomplished by either clicking the three dots in the actions menu next to the user or by clicking on the Yellow Scheduled TempAdmin tag next to the user. This will bring up the Modal with the information of the currently scheduled TempAdmin session.
The Scheduled Start and End times are displayed in the modal, along with the duration of the TempAdmin session and the reason. The log location and feature feedback button are also present in this modal. This schedule can be modified easily by either choosing a new time and date or by starting the session immediately. To save these changes, click save in the lower right.
The scheduled session can be canceled by clicking the red Cancel TempAdmin button in the lower right. To close without making any changes, click the close button in the lower left corner.
TempAdmin Session Time Considerations
The user session can be elevated for a minimum of 10 mins and a maximum of 60 mins. The TempAdmin session can be started immediately, or it can be scheduled ahead of time - either using the browser time or device local time. This allows for the flexibility to make a user an admin immediately, or scheduling ahead for a known IT working session or onboarding.
TempAdmin Logging
TempAdmin pulls out information from the unified system logs and stores it locally on the device for every user session. These logs can vary in size depending on how many things the user is doing, and how long the session is.
These logs are stored at: /private/var/log/temp-admin
The file is stored as a gzip file, and when unzipped will be a .log file. They are named automatically by the username of the user that had the TempAdmin session and the time and date of the session, including timezone.
These logs are pulled once the TempAdmin session has ended, because of this please allow a few minutes for them to be gathered and appear in this directory. For more information on the processes we are gathering, or feedback for what other processes and event messages from unified logging, please reach out to Addigy Support or use the Feedback button in the TempAdmin modals.
TempAdmin Events
Addigy logs Events both on the devices GoLive page and in the System Events for TempAdmin. The following TempAdmin sessions are recorded:
- TempAdmin session is scheduled
- TempAdmin session is started
- TempAdmin session is ended
- TempAdmin session is canceled
- An Addigy user queues the TempAdmin command
If a reason is provided for the TempAdmin session, this is included in the corresponding event's information.
Multiple TempAdmin Sessions
Multiple TempAdmin sessions can be scheduled and active on a MacOS device for different users. However, only one session can be scheduled per user. For example, if you have a shared device with different macOS user accounts - different TempAdmin sessions can be scheduled throughout the day. However, a macOS User account can only have one TempAdmin session scheduled for it.
End User Experience
End Users receive 3 notifications during a TempAdmin experience. One for when the session is scheduled, a five minute warning, and when the session has ended. All prompts use the Self Service application and display the logo that is configured for Self Service. To learn more on how to configure Self Service for macOS please refer to Self Service for Mac.
TempAdmin session start
Users are presented with this prompt informing them that they have been temporarily promoted to an admin for the duration that is set. In this example, the admin session is a minimum of 10 mins, however that duration is taken from the TempAdmin settings and can go up to 60 mins. This prompt is visible for 20 seconds and can either be closed by the user, or it will close automatically.
TempAdmin session ending soon
Five minutes before the TempAdmin session ends, the end user is presented with this prompt - also for 20 seconds. This is a reminder that their privileges are temporary and they are ending soon - the user should begin to wrap up what they are working on. This prompt can be dismissed by clicking OK or it will close automatically.
TempAdmin session end
When the TempAdmin session ends and the user is demoted — they receive the final notification informing them that they no longer have admin privileges. They can dismiss the prompt by clicking OK, or it will close automatically after 20 seconds.
Tips and Tricks
API v2
TempAdmin has two API v2 endpoints that can be used with scripts or other automations that may exist in an environment. These endpoints can be used to start a TempAdmin session immediately, to schedule a session for the future, and to cancel an active and/or scheduled TempAdmin session. They can be found here: https://api.addigy.com/api/v2/documentation/#/temp-admin
Useful Terminal commands
- TempAdmin is included in user-manager version 47+. This command will show what version is currently installed on the device
/Library/Addigy/user-manager --version
- This command will show a list of what TempAdmin sessions are active or scheduled on a machine. This can be used in conjunction with scripts or monitoring items in Addigy. Note: Use the option -json flag at the end of the command to receive the response in json
sudo /Library/Addigy/user-manager -temp-admin -list