Favicon

You are here: Home > Device Management > Apple > macOS > Scripts > Temporary Admin Rights

How to grant temporary Admin rights with JIT Elevation

macOS bash script granting standard users temporary admin privileges for 3 minutes via JIT elevation, with reason logging and automatic privilege revocation.

5 min read

TL;DR

Automate repetitive tasks on managed devices using scripts in Applivery for efficient device management.

The principle of least privilege is the right default — but there are moments when a standard user legitimately needs to perform an admin task: installing approved software, changing a network setting, running a diagnostic tool. The wrong solution is granting permanent administrator privileges. The right solution is giving users exactly what they need, for exactly as long as they need it, then revoking it automatically.

This Script implements Just-in-Time (JIT) elevation: the user triggers it from the Applivery Self-Service, a branded dialog prompts for a reason, and if the user confirms, they receive administrator privileges for exactly 3 minutes. When the time expires, the Script revokes access automatically and removes all traces of itself — no residual LaunchDaemons, no temporary files.

Warning

The Applivery Agent for macOS must be installed and active on the Device. Learn more about the macOS Agent.

Requirements

Requirement Detail
Platform macOS
Execution privileges Root (default in Applivery)
swiftDialog Installed automatically if not already present
Corporate branding /var/root/CompanyAssets/logo.png (optional, for the branded dialog)

Setup

1
Deploy your company logo (optional)

For a branded experience, deploy your company logo to each managed Device before running this Script. The file must be at /var/root/CompanyAssets/logo.png. You can distribute it using Applivery File Management. If the file is not present, the dialog will use the default swiftDialog icon instead.

2
Create the Script

Once in the Applivery Dashboard, follow the steps described here to create a Script. Paste the following Script into the editor, select Bash as the language, give it a descriptive name (e.g., Temporary Admin Rights), and click Create.

#!/bin/bash
 
# ---
# Title: Temporary Admin Rights (JIT Elevation)
# Description: Grants local admin privileges to a standard user for 3 minutes with mandatory reason logging.
# Author: Applivery
# Version: 1.1.0
# ---
 
# ==========================================
# 1. PRE-FLIGHT & PREREQUISITES
# ==========================================
 
if [ "$(id -u)" -ne 0 ]; then
  echo "ERROR: This script must be run with sudo." >&2
  exit 1
fi
 
install_rosetta() {
  if [[ "$(uname -m)" == "arm64" ]]; then
    if /usr/sbin/pkgutil --pkgs | grep -q "com.apple.pkg.RosettaUpdateAuto"; then
      echo "Rosetta is already installed."
    else
      echo "Installing Rosetta..."
      /usr/sbin/softwareupdate --install-rosetta --agree-to-license
    fi
  fi
}
 
ensure_clt() {
  if /usr/bin/xcode-select -p >/dev/null 2>&1; then
    echo "Command Line Tools are already installed."
    return 0
  fi
  echo "Command Line Tools not found. Attempting silent installation..."
  clt_label=$(softwareupdate -l 2>/dev/null | awk -F'*' '/Command Line Tools/ {print $2}' | sed -e 's/^ *//' | head -n1)
  if [[ -n "$clt_label" ]]; then
    softwareupdate -i "$clt_label" -a --agree-to-license || true
  fi
  if [[ -d "/Library/Developer/CommandLineTools" ]]; then
    /usr/bin/xcode-select --switch "/Library/Developer/CommandLineTools" 2>/dev/null || true
  fi
}
 
install_rosetta
ensure_clt
 
# ==========================================
# 2. SWIFTDIALOG DEPLOYMENT
# ==========================================
DIALOG_APP="/Library/Application Support/Dialog/Dialog.app"
DIALOG_CLI="/usr/local/bin/dialog"
 
get_swiftdialog_pkg_url() {
  curl -fsSL -H "Accept: application/vnd.github+json" "https://api.github.com/repos/swiftDialog/swiftDialog/releases/latest" | \
  sed -nE 's/.*"browser_download_url":"([^"]*\.pkg)".*/\1/p' | head -n 1
}
 
if [ ! -x "$DIALOG_CLI" ] || [ ! -d "$DIALOG_APP" ]; then
  echo "SwiftDialog not found. Installing..."
  pkg_url="$(get_swiftdialog_pkg_url)"
  if [ -n "$pkg_url" ]; then
    pkg_path="$(/usr/bin/mktemp /tmp/swiftDialog.XXXXXX.pkg)"
    curl -fL "$pkg_url" -o "$pkg_path"
    installer -pkg "$pkg_path" -target /
    rm -f "$pkg_path"
  fi
fi
 
# ==========================================
# 3. USER DETECTION & BRANDING
# ==========================================
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
[ "$currentUser" = "loginwindow" ] && exit 0
 
brandIconSource="/var/root/CompanyAssets/logo.png"
brandIconDir="/Library/Application Support/Dialog"
brandIconPath="$brandIconDir/logo.png"
 
if [ -f "$brandIconSource" ]; then
  mkdir -p "$brandIconDir"
  sips -z 512 512 "$brandIconSource" --out "$brandIconPath" >/dev/null 2>&1 || cp "$brandIconSource" "$brandIconPath"
  chmod 644 "$brandIconPath"
fi
 
if id -Gn "$currentUser" | grep -qw admin; then
  "$DIALOG_CLI" --title "Temporary Admin Rights" --message "You are already an administrator." --button1text "OK" --icon "$brandIconPath" --height 220 --width 480
  exit 0
fi
 
# ==========================================
# 4. ELEVATION DIALOG
# ==========================================
message="You are about to be granted administrator privileges for 3 minutes. Use them responsibly."
 
dialogRaw=$("$DIALOG_CLI" \
  --json \
  --title "Temporary Admin Rights" \
  --message "$message" \
  --textfield "Reason,name=reason,prompt=\"Reason (optional)\"" \
  --button1text "MAKE ME ADMIN" \
  --button2text "CANCEL" \
  --icon "$brandIconPath" \
  --height 280 --width 720 2>&1)
 
[ $? != 0 ] && exit 0
 
reason=$(/usr/bin/python3 -c "import json, sys, os, re; raw=os.environ.get('DIALOG_OUTPUT', ''); data=json.loads(re.search(r'\{.*\}', raw).group(0)); print(data.get('reason', ''))" 2>/dev/null <<<$dialogRaw)
 
echo "Admin request approved by user: $currentUser | Reason: $reason"
 
# ==========================================
# 5. EXECUTION & AUTO-REVOKE
# ==========================================
scriptDir="/Users/Shared/AdminTime"
scriptFile="$scriptDir/admin_privileges.sh"
launchDaemonFile="/Library/LaunchDaemons/com.applivery.adminprivileges.plist"
 
mkdir -p "$scriptDir"
 
cat << EOF > "$scriptFile"
#!/bin/bash
currentUser=\$(/bin/ls -l /dev/console | /usr/bin/awk '{ print \$3 }')
dseditgroup -o edit -a "\$currentUser" -t user admin
sleep 180
dseditgroup -o edit -d "\$currentUser" -t user admin
rm -rf "$scriptDir"
rm -f "$launchDaemonFile"
EOF
 
chmod +x "$scriptFile"
 
cat << EOF > "$launchDaemonFile"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict>
  <key>Label</key><string>com.applivery.adminprivileges</string>
  <key>ProgramArguments</key><array><string>$scriptFile</string></array>
  <key>RunAtLoad</key><true/>
</dict></plist>
EOF
 
chown root:wheel "$launchDaemonFile"
chmod 644 "$launchDaemonFile"
launchctl load "$launchDaemonFile"
 
echo "Success: User $currentUser elevated for 3 minutes."
3
Assign the Script as an On-demand action

Now, navigate to any of your Devices, select the Scripts tab, click on the + Assign Script button, and select the one you just created.

Note

You can also assign Scripts to Policies. To do this, navigate to the Policies section, select the desired Policy, and click on the Scripts tab. The process will be the same as when assigning it directly to an individual Device.

Select On demand as the execution method — this makes the Script appear as an action in the Applivery Self-Service that users can trigger when they need temporary admin access.

Method Behaviour Recommended?
Once Runs one time per Device. ❌ Not suitable — the Script is designed to be triggered on demand by the user.
Loop Runs automatically at a recurring interval. ❌ Not recommended — this would grant admin privileges automatically and repeatedly without user interaction.
On demand Only runs when the user triggers it from the Self-Service. ✅ Recommended — the user activates the elevation when they need it.

This Script does not require any arguments. The active user is detected automatically at runtime. Click Add to save the assignment.

What users will see

Once assigned as an On-demand action, the Script appears as an item in the Applivery Self-Service. When the user taps it, a branded dialog window opens showing a message about the 3-minute limit. The user enters an optional reason and clicks MAKE ME ADMIN to confirm, or CANCEL to abort.

After confirmation, the user is added to the admin group. After 3 minutes, the Script revokes the privileges automatically and removes the auxiliary LaunchDaemon and helper Script from the Device, leaving no trace.

Customizing the elevation window

By default, the elevation lasts 3 minutes (180 seconds). To change this, edit the sleep 180 value in the embedded helper script block:

sleep 180  # Change this value (in seconds) to adjust the duration

For example, sleep 600 would grant 10 minutes of admin access.

Available on GitHub

This Script is part of the Applivery Public Script Repository. You can use it as-is or adapt the branding, duration, and dialog content to match your organization's needs.

Key Takeaways

  • Scripts automate repetitive tasks on managed devices.
  • Applivery allows creating, uploading, and assigning scripts.
  • Multiple execution methods are available (Once, Loop, On-demand).
  • A Public Script Repository provides ready-to-use scripts.