The Apple Device Device Enrollment Program (DEP) enables the automatic deployment and configuration of Apple iOS and MacOS devices. It is also required to ensure that devices are supervised and can avail of the full set of management features.
On MacOS devices it’s possible to configure DEP enrollment profile granting the enrollment user either standard or administrator rights on the device. A separate local administrator account can also be configured. Standard rights would be the best approach to ensure that the devices are secured and managed correctly, however many reasons why a user may need local administrator rights on their device. Device peripherals and applications can require local administrator rights on first launch or to configure.
There is a requirement to be able to grant temporary local administrator rights in a managed and controlled manner. One option is to create a blank or dummy installation package with install and uninstall scripts to grant local Administrator rights.
- Create a blank application package, sign with Workspace ONE Admin Assistant and publish as a native or internal application. Packages is an example of a tool that can be used to create the blank package.
- Edit the application and add the following Bash post install and post uninstall scripts.
Post Install Script
Post Uninstall Script
Once the application is installed the post install script checks to see if the local user is a member of the local admin user group and if not exits. Similarly when the application is removed the post uninstall script checks if the user is a member of the local admin group and removes the user.
Author: Cathal Henry – Senior Solution Architect
