+3Using regular local user accounts with Jamf Connect (Azure). Not mobile, or network accounts.
When first logging in to machine with Connect, the local user account is created as an admin (per Jamf Login config) as expected. When the computer is restarted, the account is demoted to a Standard account until manually given admin rights. We want admin rights to be permanent.
I see this line in the Connect Login logs:
NoLoSwiftMech: Removing user from admin group
Any ideas? Thanks!
Best answer by kowsar_ahmed
Use OIDCAdmin attribute to specify this, we grant admin rights via admin group using:
OIDCAdmin : Security group
OIDCAdminAttribute: Groups
For Azure it should be much easier. This does a check on the accounts when they log in and revokes any users not in the group, however just log a support call as i presume they have a key to leave every user as admin..
+8Use OIDCAdmin attribute to specify this, we grant admin rights via admin group using:
OIDCAdmin : Security group
OIDCAdminAttribute: Groups
For Azure it should be much easier. This does a check on the accounts when they log in and revokes any users not in the group, however just log a support call as i presume they have a key to leave every user as admin..
+3Thanks! I didn't realize that you had to specify that users remain admins. Actually just ended up using this since users are set as admins initially:
<key>OIDCIgnoreAdmin</key>
<true/>
+12Though I would reply to this to say that this OIDCIgnoreAdmin key is necessary for those using GSuite as an authentication service. Since you can't use group membership to determine admin rights.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.