I have a non-hidden admin account created during enrollment, defined in my PreStage.
And then, if the password ever gets compromised, it's fairly easy to write a policy to change the password for that user on every machine. I've had to do it on more than one occasion.
It's entirely up to you whether you hide this this administrator account or not (both from Loginwindow and from Users & Groups).
Note that if you're enabling FileVault, you're going to have to have this user have a SecureToken to unlock FileVault. If it's the first user created (as happens during enrollment, as defined in the PreStage), then it automatically does. But then you'll also have to run a script to grant other users a SecureToken.
We have a local admin account for each school, so if a teacher was offsite and desperately needed it we would give them the admin credentials for their school. That account gets installed when a computer starts up on their SSID.
we have a global admin account as well which is never shared outside of tech.
We now have "Make me an admin for 30 minutes" in Self Service which really saved us during lockdown. It also has made our staff very happy and not caused any problems. We've never used our jamf mgmt account for anything and it is hidden (it is so old it is named Casper 🙂 We went to randomized passwords a few years ago.
I have a non-hidden admin account created during enrollment, defined in my PreStage.
And then, if the password ever gets compromised, it's fairly easy to write a policy to change the password for that user on every machine. I've had to do it on more than one occasion.
It's entirely up to you whether you hide this this administrator account or not (both from Loginwindow and from Users & Groups).
Note that if you're enabling FileVault, you're going to have to have this user have a SecureToken to unlock FileVault. If it's the first user created (as happens during enrollment, as defined in the PreStage), then it automatically does. But then you'll also have to run a script to grant other users a SecureToken.
Can you please share how you were able to change password for a local admin account without breaking the SecureToken and FileVault.
Thanks
This "Make Me an Admin" option sounds interesting, and would help with some potential changes we are considering. Is this something there is documentation on by chance? Or is it a couple simple policies and such that can be created and added to Self Service?
This "Make Me an Admin" option sounds interesting, and would help with some potential changes we are considering. Is this something there is documentation on by chance? Or is it a couple simple policies and such that can be created and added to Self Service?
Here it is:
https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh
Here it is:
https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh
Awesome! I appreciate this. I will probably begin testing today or tomorrow. This should cut out on the amount of users with admin privileges that were only given "just in case."
Can you please share how you were able to change password for a local admin account without breaking the SecureToken and FileVault.
Thanks
This is what I was doing. However, now that I think about it, it's been quite some time since I've tested this. I haven't had to change my admin account password in some time. I do have a script loaded up in Self Service to grant the Admin account a SecureToken, if there isn't one already granted. I should test how this works in Big Sur (pretty Mojave was the last OS I was doing this with). Your mileage may vary.
