+3I want to enroll a Jamf Now Fundamentals setup to x3 new MacBook Pro's, I've configured the apps/software I require etc and am ready to enrol.
Do I need to setup a local Admin and Standard accounts on the new Macs before enrollment?
Or can I just get away with a Standard local account on the Mac?
As I may need to install additional apps that's are't available on the App Store.
+7Hey @Benn,
The first question is whether you will be using Auto-enrollment or Open Enrollment to enroll these Macs. Auto-enrollment does require an Apple Business Manager/Apple School Manager account as mentioned below:
https://docs.jamf.com/jamf-now/documentation/Automated_Device_Enrollment_in_Jamf_Now.html
If you are using Open Enrollment, the process of installing the enrollment profile does require admin credentials which is something to keep in mind. Any additionally deployed and managed app via Jamf Now would also require Apple Business Manager as macOS only supports licensed app deployment when using MDM. End users can always initiate app installs themselves via the App Store but that also requires admin credentials (if I recall correctly).
Chaz
+14Personally, I prefer to always make the first user admin. They can be demoted at any time during the provisioning process.
Demote:
sudo dseditgroup -o edit -d "$(who | awk '/console/{ print $1 }')" -t user admin
Promote:
dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin
It'll save you the trouble of learning everything about Secure Tokens, Bootstrap Tokens, and Volume Owners.
+3Thanks for the msg, I'm having problems with the demote terminal code. Do I need to replace the "user admin" to the name of the user on the Mac I am using?
+3Can anyone tell me how I revert this command:
sudo dseditgroup -o edit -d UserName -t user admin
I need to change the standard user back to Admin
+3Personally, I prefer to always make the first user admin. They can be demoted at any time during the provisioning process.
Demote:
sudo dseditgroup -o edit -d "$(who | awk '/console/{ print $1 }')" -t user admin
Promote:
dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin
It'll save you the trouble of learning everything about Secure Tokens, Bootstrap Tokens, and Volume Owners.
Could really do with your help in getting the promote command to work via terminal.
I used this command to change admin to standard user:
sudo dseditgroup -o edit -d UserName -t user admin
But now I can't figure out how to revert back to the admin account.
+14Could really do with your help in getting the promote command to work via terminal.
I used this command to change admin to standard user:
sudo dseditgroup -o edit -d UserName -t user admin
But now I can't figure out how to revert back to the admin account.
@Benn , make user to "@" my username to get my attention. Okay, so if you're testing this in terminal you need sudo permission. However, there's a way to always run your commands as sudo...you have use the files and processes payload to execute commands. Create two new policies. One will demote and the other will promote. you can summon these policies with terminal with jamf commands (sudo jamf policy -id "policyidnumber" or sudo jamf policy -event "customtrigger".
Overall, you need to test these commands directly from your jamf pro server, and use jamf commands to summon the policies.
+14@Benn , make user to "@" my username to get my attention. Okay, so if you're testing this in terminal you need sudo permission. However, there's a way to always run your commands as sudo...you have use the files and processes payload to execute commands. Create two new policies. One will demote and the other will promote. you can summon these policies with terminal with jamf commands (sudo jamf policy -id "policyidnumber" or sudo jamf policy -event "customtrigger".
Overall, you need to test these commands directly from your jamf pro server, and use jamf commands to summon the policies.
Take a close look at the commands I posted above. There is a subtle difference between the two, specically "-a" (add/Promote) and "-d" (delete/demote).
+3@Benn , make user to "@" my username to get my attention. Okay, so if you're testing this in terminal you need sudo permission. However, there's a way to always run your commands as sudo...you have use the files and processes payload to execute commands. Create two new policies. One will demote and the other will promote. you can summon these policies with terminal with jamf commands (sudo jamf policy -id "policyidnumber" or sudo jamf policy -event "customtrigger".
Overall, you need to test these commands directly from your jamf pro server, and use jamf commands to summon the policies.
@bwoodsmy issue is I am not using Jamf Pro, I am using Jamf Now.
+3@Benn , make user to "@" my username to get my attention. Okay, so if you're testing this in terminal you need sudo permission. However, there's a way to always run your commands as sudo...you have use the files and processes payload to execute commands. Create two new policies. One will demote and the other will promote. you can summon these policies with terminal with jamf commands (sudo jamf policy -id "policyidnumber" or sudo jamf policy -event "customtrigger".
Overall, you need to test these commands directly from your jamf pro server, and use jamf commands to summon the policies.
@bwoods I am only using Jamf Now, Am I still going to be able to use the commands you mention?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.