Back to Resources

Level Verified

macOS Unauthorized Admins Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

This script addresses the difficulty of maintaining accurate control over administrative privileges on macOS systems by cross-referencing a list of detected admins against an authorized list. It ensures that you can quickly spot and remediate any unapproved accounts before they pose a security risk.

Description

It retrieves a comma-separated list of admin accounts that Level has detected on a macOS endpoint and compares each username to the organization’s sanctioned list of authorized admins. If any user is found to be unauthorized, the script returns a flagged result, allowing you to take immediate corrective action. By exiting with a non-zero code when unauthorized admins are detected, it seamlessly integrates with Level’s alerting and monitoring features, enabling on-demand checks or scheduled audits without manual intervention.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-macos-unauthorized-admins
10
11# Define authorized admins (replace with actual values)
12AUTHORIZED_ADMINS="{{cf_authorized_admins}}"
13
14# Define detected admins (replace with actual values)
15DETECTED_ADMINS="{{DetectedAdmins}}"
16
17# Convert lists to arrays (lowercase for case-insensitive comparison)
18IFS=',' read -r -a detectedArray <<< "$(echo "$DETECTED_ADMINS" | tr '[:upper:]' '[:lower:]' | sed 's/, */,/g')"
19IFS=',' read -r -a authorizedArray <<< "$(echo "$AUTHORIZED_ADMINS" | tr '[:upper:]' '[:lower:]' | sed 's/, */,/g')"
20
21# Find unauthorized admins
22unauthorizedAdmins=()
23for detected in "${detectedArray[@]}"; do
24    found=false
25    for authorized in "${authorizedArray[@]}"; do
26        if [[ "$detected" == "$authorized" ]]; then
27            found=true
28            break
29        fi
30    done
31    if [[ "$found" == false ]]; then
32        unauthorizedAdmins+=("$detected")
33    fi
34done
35
36# Join unauthorized admins into a comma-separated string
37unauthorizedString=$(IFS=,; echo "${unauthorizedAdmins[*]}")
38
39# Output unauthorized admins or success message
40if [[ ${#unauthorizedAdmins[@]} -gt 0 ]]; then
41    echo "$unauthorizedString"
42    exit 1
43else
44    echo "No unauthorized admins detected."
45    exit 0
46fi

Use Cases

  • Spotting and responding to sudden additions or changes in macOS admin privileges
  • Strengthening compliance efforts by regularly validating approved admins
  • Preventing dormant, rogue, or compromised admin accounts from persisting unchecked
  • Integrating into a broader admin compliance automation for comprehensive monitoring

Recommendations

  • Pair this script with a script-based monitor in Level to trigger alerts whenever unauthorized admins are detected
  • Schedule regular checks by creating a Level automation with a time-based trigger to ensure continuous compliance
  • Update the “AuthorizedAdmins” custom field to reflect changes in your official admin list
  • Test the script in a non-production environment before deploying to production systems

FAQ

  • Why do I need both “DetectedAdmins” and “AuthorizedAdmins”?
    “DetectedAdmins” is automatically populated by other scripts or processes that find local admin accounts, while “AuthorizedAdmins” is your approved roster. This comparison flags any unexpected additions.
  • How do I handle the script’s exit codes?
    A zero exit code indicates no unauthorized accounts, while a code of ‘1’ signals that Level should trigger an alert or subsequent remediation.
  • Does this script require additional permissions to run?
    No, Level executes scripts with the required root-level permissions on macOS, so no extra elevation steps are needed.
  • Can I adapt this script for different user groups or custom fields?
    Yes, you can modify the group references, variable names, or custom fields to fit any unique privilege assignments you need to monitor.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

macOS - Unauthorized Admins

Description

This Bash script compares detected administrator accounts against a predefined list of authorized administrators using Level's script variables and custom fields on macOS systems. It processes both lists into arrays with case-insensitive values, then iterates through the detected administrators to identify any that aren't present in the authorized list. The script outputs either a comma-separated list of unauthorized administrators and exits with an error code, or confirms no unauthorized admins were found and exits successfully.

Language

Bash

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.