How does your organization handle access to the console?

What’s the business justification that the desk-side manager is providing for full access to the console? Help desk staff aren’t Jamf admins, and unless they have clear training on how to use the Jamf console, they need to have the fewest rights needed to do their jobs. I highly recommend following the principle of least privilege.

We went down the federated access road with field support units for the colleges and department as well as the service desk.  That did not go well.  When we migrated from on-prem to the cloud, we used the opportunity to restructure our access configuration.  Now, there are only two full Jamf administrators, and we are supposed to be following the “two man” rule (although in emergent situations that sometimes gets bypassed).  Everyone else has appropriately restricted access levels.

Agreed with all here. We’re a smaller team and work to run our staff through at least jamf100. Usually 170 and if they can swing the time. I’d love to get one through the 200 to feel more comfortable with having some potential backup on hand should I need it however, I don’t think that’s likely.  In our environment our director has access to an administrative account with full console access beyond mine as the admin. This is for the “I got hit by a meteorite” situation where we would work with JAMF Support and or an MSP until a replacement could be found.  My HelpDesk and SysAdmin only have specific access to items they’ve been training on. Too much risk otherwise. My situation is certainly not yours. Good luck!

We are a team of two here, but used to be a team of five. When we were a team of five, we limited access to the system as a whole to the admins and one front desk admin. I was the lone person out, without access. The front desk admin, not the IT director, was the one with the keys to the knowledge, so when we “was retired” from our school (at this point we were down to three), he changed everyone else’s passwords, and trained me as much as he could in a week and gave me the admin access. I later got the IT Director back in, but claimed not to know about why the password wasn’t working, I just worked with him to fix it. Now it is just the two of us. He didn’t know how to manage the Jamf when the other guy left, and I don’t think he would know where to start now, it is just me. The COVID times proved out just how behind he was in how the Jamf operates.

Given my experience, I would say it is best to have the admin stuff kept up by the admins. I’m not sure I would feel the best about my own IT Director making changes to any of my configurations at this point just due to a lack of understanding how they work (he forgot his password again, but said “You got this, right?”). Most of the time, frontline work does not require accessing or changing the system, only occasionally, and then I need to do it anyway. The only thing I want from him is the help to get the SSO setup, which he is reluctant to do.

I have this situation as well. It is folder of Google docs with instructions and a calendar to subscribe to with recurrent events. I also have a secondary institutional login that I manage in case my login ever fails.

Our desk side manager also requested full admin access, but after talking with them about the request it was clear they didn’t understand what ‘full access’ meant.  What they really wanted was the ability to see all devices and assigned users, as well as policy assignments.  I ended up giving them modified auditor access so they can view device info, assigned users and policies, etc but not see system config data and no ability to make changes.

I also provided them access to Jamf online training resources so they would have a better understanding of what they were seeing.

I have L1 - L3 + full admin. L1 is read specific read only outside of things like the activation code. After that it gets more power of what you can do. Things like update/delete computers, flush policies, etc. I’d ask what problem they’re trying to solve and what they can’t do that they need to do.

If they say “we just need full access”. I’d say no b/c that opens up potential for untrained human error.

That’s a classic IT tug-of-war. Usually, giving full access to everyone is a recipe for accidental "global" disasters.

Most organizations follow the Principle of Least Privilege:

• Admins: Kept to a small "Core" team (2–4 people) to maintain a single source of truth for global policies.

• Support: Access is restricted to functional tasks—wiping devices, reassigning users, or basic troubleshooting—rather than architectural changes like modifying config profiles.

• Audit Trail: If it isn't logged, it didn't happen. RBAC (Role-Based Access Control) is essential for tracking who changed what.

It’s not about gatekeeping; it’s about stability. One misconfigured policy pushed to the whole fleet can break a lot more than a help desk ticket can fix.

Group Access: Least Privilege on an As-Needed (for realsies) basis.

DO NOT give L1 Full access - especially not for modifying policies - unless you really like cleaning up colossal messes. 😉