Advise; Creating new Management Account

Question

Hi there!

Just checking if anyone has pro-tips!

We currently have a management account on many devices with the same password, and that same local account is used for the helpdesk.

What i am trying to achieve is;- Create a new hidden management account like "_management" on existing devices- Still have the ability to use Jamf Remote- When that is all done, set up macOS Laps for the helpdesk account. ( no help needed for this)

What is the best way to achieve this?

Already tried- Create custom QuickAdd.pkg with params -noPolicy -noManage to prevent triggering Enrollment and other policies, _management gots created, but then Jamf Remote keeps "authenticating". In the JSS the device state has changed to managed: _management- Create new local account with a Jamf policy and then make it hidden, edit device info and change management account, did it manually and the Actions option.- Use jamf binary to create a account, change management accounts through Actions or device inventory

All feels fine, except Jamf Remote keeps trying to Authenticate so i guess the randomized / static pw for _management account does not get submitted correctly but weird fact is that if change it manually it still is not working.

When i change it back to the "old" management account Jamf Remote does his job.

Any suggestions on how to only change management account for macOS devices?

Cheers!

ThijsX · Accepted Answer

Ok so i did the following.Created custom QuickAdd.pkgAfter "enrollment" a change management account password kicks in which obviously takes care of storing the correct password in the DB.Thing that maybe when not smooth at posting this discussions is that Jamf Remote his function "refresh data" does not refresh the stored pw.#!/bin/sh####################################################################### Functions ##########################################################################inrange() { inrange_min_major=$(echo $1 | grep -o '^[0-9]+') inrange_min_minor=$(echo $1 | grep -o '.[0-9]+.' | grep -o '[0-9]+') inrange_min_patch=$(echo $1 | grep -o '[0-9]+$') inrange_max_major=$(echo $2 | grep -o '^[0-9]+') inrange_max_minor=$(echo $2 | grep -o '.[0-9]+.' | grep -o '[0-9]+') inrange_max_patch=$(echo $2 | grep -o '[0-9]+$') if [ "$major_version" -lt "$inrange_min_major" ][ "$major_version" -gt "$inrange_max_major" ][ "$minor_version" -lt "$inrange_min_minor" ][ "$minor_version" -gt "$inrange_max_minor" ][ "$patch_version" -lt "$inrange_min_patch" ][ "$patch_version" -gt "$inrange_max_patch" ]; then return 1 else return 0 fi}###################################################### Use the correct binary for the os version####################################################jamf_root_path=/private/tmp/JAMFQuickAdd/Binaries/os_version=$(system_profiler SPSoftwareDataType -xml | grep -A 2 'os_version' | grep -o 'OS X [0-9]+.[0-9]+.[0-9]+|macOS [0-9]+.[0-9]+.[0-9]+' | grep -o '[0-9]+.[0-9]+.[0-9]+')major_version=$(echo $os_version | grep -o '^[0-9]+')minor_version=$(echo $os_version | grep -o '.[0-9]+.' | grep -o '[0-9]+')patch_version=$(echo $os_version | grep -o '[0-9]+$')jamf_path="${jamf_root_path}jamf_level1"if inrange 10.9.0 10.9.999999 ; then jamf_path="${jamf_root_path}jamf_level2"fiif inrange 10.7.0 10.8.999999 ; then jamf_path="${jamf_root_path}jamf_level3"fi/usr/bin/tar -xf /private/tmp/JAMFQuickAdd/Binaries.tar.gz -C /private/tmp/JAMFQuickAddjamfCLIPath=/usr/local/jamf/bin/jamf/bin/mkdir -p /usr/local/jamf/bin/bin/mkdir -p /usr/local/bin/bin/mv $jamf_path $jamfCLIPath/bin/rm -r $jamf_root_path/bin/ln -s $jamfCLIPath /usr/local/bin/usr/sbin/chown 0:0 $jamfCLIPath/bin/chmod 555 $jamfCLIPath###################################################### Create the configuration file at:## /Library/Preferences/com.jamfsoftware.jamf.plist####################################################$jamfCLIPath createConf -url 'https://YOURJSS:8443/' -verifySSLCert always_except_during_enrollment###################################################### Turn on SSH####################################################$jamfCLIPath startSSH###################################################### Run enroll####################################################$jamfCLIPath enroll -invitation 649442556476261735123512349896777 -noPolicy -noManageenrolled=$?if [ $enrolled -eq 0 ]then $jamfCLIPath update## Commmented enrollmentComplete trigger out to prevent policies run again### $jamfCLIPath policy -event enrollmentComplete enrolled=$?fi/bin/rm -rf /private/tmp/JAMFQuickAddexit $enrolled

mm2270 · Answer

@txhaflaire This thread is a bit more than a year old now, but I was wondering if you still used the process as outlined above? I'm asking because I need to come up with a way to create a new management account on a number of existing enrolled Macs, some of them enrolled via Apple's automated device enrollment (formerly DEP), and I don't know if pushing a QuickAdd.pkg to existing enrolled Macs is a good idea now. Doesn't that undo the UAMDM setting in the device MDM profile now? If it does, this isn't a viable method anymore since UAMDM is an important item now, and some Config Profile payloads rely on it being set properly for full functionality.

Is there some other way to push a new management account to existing Macs, and have the account settings get updated in Jamf properly? Something that doesn't utilize the old outdated QuickAdd method perhaps? Or am I wrong in assuming that you should not use a QuickAdd.pkg install on Macs running 10.14.x or 10.15.x now?
I've been experimenting with this a little, but I haven't hit on the right process to go about this. If you (or anyone) has any ideas on how to do this I'd love to hear about it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded