Skip to content

reponomadx/macos-elevated-admin-ws1

BranchesTags

Repository files navigation

reponomadx logo

macOS Elevated Admin Rights with Workspace ONE

Platform Workspace ONE License Status

Grant temporary admin rights to macOS users using Workspace ONE UEM and a dummy app deployment — no scripting required.

📖 Summary

This workflow enables macOS users to be granted temporary administrator access using Workspace ONE UEM. It uses a dummy .pkg file that installs no actual software but contains a postinstall script that adds the current console user to the admin group.

The process is managed entirely through the Workspace ONE console — no external scripts, APIs, or custom workflows are required.

🧰 Requirements

  • Workspace ONE UEM Console access
  • macOS devices enrolled via DEP or MDM
  • Download the Packages App by WhiteBox (This is the latest developer build with bug fixes; mount and install the .dmg after download)
  • Workspace ONE Admin access to create Smart Groups and Internal Apps

📦 Step 1: Create a Dummy Package

We are going to use a dummy package to deliver post-install and post-uninstall scripts.
Use the Packages App to create this.

  1. Open Packages App. Pick Raw Package and click Next
  2. Give it a name. (Example: macOS Admin Elevation)
  3. Go to the Build menu, and click Build
  4. Your package will be in the project directory under /build
  5. Use the Workspace ONE Admin Assistant Tool to create the Plist for uploading to the UEM console.

Packages App Template

Packages App Name

Packages App Build

Packages App Location

👥 Step 2: Create a Smart Group

Create a Smart Group that will control which devices receive the elevated rights package.

Steps:

  1. In the Workspace ONE Console, go to:
    Groups & Settings > Groups > Assignment Groups
  2. Click Add Smart Group
  3. Name the group (e.g., macOS Admin Elevation)
  4. Configure assignment logic:
    • Manually assign devices
    • Or use a Tag (e.g., MacOS Admin Elevation) for dynamic membership

Smart Group

✅ Any device added to this Smart Group will receive the app and be granted admin rights.

🚀 Step 3: Upload and Assign the App

Upload the .pkg to Workspace ONE as an Internal App.

Steps:

  1. In the Workspace ONE Console, go to:
    Apps > Native > Internal > Add Application
  2. Upload the file: macOS Admin Elevation.pkg
  3. Upload the Plist created by the Workspace ONE Admin Assistant tool
  4. Set the Post-Install Script and Post-Uninstall Script as shown below
  5. (Optional) Give it an icon
  6. Click Save & Assign
  7. Click Add Assignment
  8. Assign to the Smart Group from Step 2.
    You can use Auto or On-Demand assignment
  9. Click Add, then Save & Publish

📝 Post-Install Script:

#!/bin/bash

loggedInUser=`/usr/bin/stat -f%Su /dev/console`

if [ "$CurrentUser" == "root" ] || [ "$CurrentUser" == "_mbsetupuser" ]; then
  exit 0
fi

#adds user to admin group (post-install)
dseditgroup -o edit -a "$loggedInUser" -t user admin

📝 Post-Uninstall Script:

#!/bin/bash

loggedInUser=`/usr/bin/stat -f%Su /dev/console`

if [ "$CurrentUser" == "root" ] || [ "$CurrentUser" == "_mbsetupuser" ]; then
  exit 0
fi

#removes user from the admin group (post-uninstall)
dseditgroup -o edit -d "$loggedInUser" -t user admin

🔄 Removing Admin Rights

To revoke admin rights:

  1. Remove the device from the Smart Group
    (e.g., delete the macOS Admin Elevation tag)
  2. Workspace ONE will uninstall the dummy package

📄 License

MIT License – see LICENSE for full details.

About

Grant temporary admin rights to macOS users using Workspace ONE UEM by deploying a dummy package with no scripting required.

Topics

macos automation deployment mdm pkg uem euc admin-rights workspace-one workspace-one-uem

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages