Posted on 09-04-2015 07:03 AM
Hello Everyone,
We have scoured the internet for this but came up short so I'm hoping somebody here can help us. We need to enable the OSX Disk Utility for certain members of staff but we do not want to give them admin access to the machine as they've been known to use it in a negative way. This would best be done as a script that would get pushed out by a policy.
Is there anyone who has done something similar or can offer any advice?
Thank you,
Viktor
Posted on 09-04-2015 07:15 AM
Do they need totally unfettered access to run any and all commands from diskutil? Or do they just need to run a small subset of diskutil commands? If the latter, I'd suggest making scripts for each of the tasks you want them to do, then put those scripts in Self Service and let those specific users run those scripts from there.
If they need unlimited access to diskutil, they could do all kinds of negative things with that.
Posted on 09-04-2015 07:27 AM
Exactly what @AVmcclint says. Then put the Disk Utility icon on the option so to them, it's just the same without compromising the Mac.
We have some basic items like that and even the JSS allows for "Repair Permissions" right from the options with no need to upload a script.
Posted on 09-04-2015 07:35 AM
They need to be able to verify, repair and format external drives. That's about it really. Not sure we would want them to access it through the Self Service as it's not very reliable in our environment at this moment.
Posted on 09-04-2015 07:41 AM
Well, I'd try to fix your JSS infrastructure before you worry about Disk Utility on the client Macs, my 2¢...
Posted on 09-04-2015 08:27 AM
should not even need admin to work on external disks should you? I do not require admin rights to reformat, partition, erase or run first aid on a target mode mounted macbook air.
Posted on 09-04-2015 08:28 AM
@varchola one option would be to explore the /etc/sudoers file on the these User's client machines. In the that file you can give local users limited sudo access (i.e. they can only run specific sudo commands). You can add the diskutil commands you want them to use to the local /etc/sudoers and they can only access those commands with sudo.
To be honest, I've only done this on Linux machines and it works well. I have never tried in an OSX enterprise environment but it should be the same.
Here is a link to a basic tutorial http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/
Posted on 09-04-2015 08:33 AM
What @nessts said. Are you somehow blocking Disk Utility now?
It would be helpful to know what they need to do and what you don't want them doing...
You could restrict the Disk Utility app for everyone and make exceptions for a group of people on the JSS.
Posted on 09-04-2015 08:56 AM
When you try to for example format a drive, even an external drive like a Flash drive, it will ask you for administrator credentials. We need them to be able to do this without having administrator access.
I'll look into what @bkramps said, they'll probably complain that they have to use CLI but it would resolve the issue for us and them.
Posted on 09-04-2015 08:58 AM
you must be disabling it somehow, it works fine for me on 10.10 with a non admin account and never typed a password on the device.
Posted on 09-04-2015 09:00 AM
@varchola going on my previous comment, an even easier solution is to put your script in a policy. Make that policy executed with a customer trigger like "diskutil". Then you can give the user only sudo privileges to the command "/usr/sbin/jamf policy -event diskutil". I tested in my environment with a limited account and it worked for my script.
You would just add a line like this to /etc/sudoers via the visudo command
username ALL=(ALL) NOPASSWD: /usr/sbin/jamf policy -event diskutil
Of if they want full Disk Util GUI access add this line
username ALL=(ALL) NOPASSWD: /Applications/Utilities/Disk Utility.app/Contents/MacOS/Disk Utility
If your users don't feel comfortable with CLI, you can write a script that calls jamf or the Disk Util command and then just save the script with the .command extension. That will allow them to execute with a double click.