Skip to main content
Question

Limit access to Personal Recovery Key to only relevant site

  • May 17, 2022
  • 2 replies
  • 9 views
J
Forum|alt.badge.img+2

Hi,

We have a Jamf environment with multiple sites configured and each site has a LDAP group configured/assigned with one or more administrators.

I am investigating the possibility to limit Jamf Admin (with site-only administrator privileges) to be able to view Personal Recovery Keys, located only within their assigned site. The Jamf Admin should not be able to view Personal Recovery Keys, when changing sites.

Is this possible? If so, how can we implement this.

with regards,

Roland

    2 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • May 18, 2022

    Hi there. I'm a little confused about what you're asking here. I may be completely misunderstanding you, but are you asking if it's possible to prevent a site admin from Site A from seeing FileVault Personal Recovery Keys from Macs enrolled into Site B?

    If so, that's the default configuration when talking about Site access. A site admin can only see Macs/iOS devices enrolled into the site they are part of, and by extension, can only see the PRKs of Macs in that site. You have to be able to view Computers in order to see the keys. And technically even being able to see those keys is a privilege that can be revoked or granted based on permissions assigned to the account or group.

    Am I completely off on what you're asking about here?

    J
    Forum|alt.badge.img+2
    • jamfvaltech
    • Author
    • New Contributor
    • June 4, 2022

    Hi there. I'm a little confused about what you're asking here. I may be completely misunderstanding you, but are you asking if it's possible to prevent a site admin from Site A from seeing FileVault Personal Recovery Keys from Macs enrolled into Site B?

    If so, that's the default configuration when talking about Site access. A site admin can only see Macs/iOS devices enrolled into the site they are part of, and by extension, can only see the PRKs of Macs in that site. You have to be able to view Computers in order to see the keys. And technically even being able to see those keys is a privilege that can be revoked or granted based on permissions assigned to the account or group.

    Am I completely off on what you're asking about here?


    Hi,

     

    My apologies for responding this late. But yes, you are correct. And that is what I thought as well. Thanks. But, by doing so, it will limit the access to Scripts and Packages. Is this by design or can this be made available to them?

    with regards,

    Roland

    Terms & ConditionsCookie settingsAccessibility statement