Skip to main content
Question

Managed Local Administrator Accounts

  • October 11, 2024
  • 9 replies
  • 172 views
BookMac
Forum|alt.badge.img+9

Hello jamf nation,

We have 2 managed local administrator accounts on our Macs. One is the PreStage admin, which is created during the macOS Setup Assistant. This is the PreStage admin "hu", which is LAPS enabled. And we have the jamf management account "ja", which is also LAPS enabled.

We have now removed the PreStage admin "hu" from all devices, as we only wanted to have one admin on the devices. Since LAPS, we can now also use the jadmin, if necessary, to enter passwords in exceptional cases.

Unfortunately, the PreStage admin remains in the jamf Pro database and is displayed in the computer object. There is also still the option to display the LAPS password. If you display the Laps password, it ends with the Failed mdm command:

"SetAutoAdminPassword" - "Unable to find user with GUID '851D63DB-068A-4FCD-B650-709144FE6E20'"

Has anyone else removed the PreStage Admin and had the same experience or do you just leave the Admin and have 2 Admins on the devices?

 

    tender

    9 replies

    BookMac
    Forum|alt.badge.img+9
    • BookMac
    • Author
    • Jamf Heroes
    • October 11, 2024

    missedited

    tender
    Tbaker63
    Forum|alt.badge.img+3
    • Tbaker63
    • New Contributor
    • October 11, 2024

    In our environment, we typically leave the PreStage Admin. Some of our programs seem to call to that profile to run. We haven't had an issue before with leaving both on there. I will say from personal experience, I've had a LAPS password expire and not issue another proper password for the primary admin and had to rely on the PreStage admin instead. Though, it really comes down to your security team if they only want one admin per machine.

    Shyamsundar
    Forum|alt.badge.img+13
    • Shyamsundar
    • Jamf Heroes
    • October 11, 2024

    How did you delete the Prestage admin account? To verify if the account is still visible on the device, run the following command: dscl . list /Users | grep “hu”. 

     

    BookMac
    Forum|alt.badge.img+9
    • BookMac
    • Author
    • Jamf Heroes
    • October 11, 2024

    I delete the admin account with a policy and the local accounts payload. the account does not exist on the machine anymore but jam pro thinks, that the managed local admin account is still there.

    Shyamsundar
    Forum|alt.badge.img+13
    • Shyamsundar
    • Jamf Heroes
    • October 11, 2024

    Do you still have the Account settings in the Prestage enrollment enabled

    Shyamsundar
    Forum|alt.badge.img+13
    • Shyamsundar
    • Jamf Heroes
    • October 11, 2024

    if yes, try disabling it and check the status.

     

    BookMac
    Forum|alt.badge.img+9
    • BookMac
    • Author
    • Jamf Heroes
    • October 12, 2024

    We can’t disable prestage admin because we need them with skip account creation because we are using jamf connect 

    Jay_007
    Forum|alt.badge.img+7
    • Jay_007
    • Valued Contributor
    • January 31, 2025

    We can’t disable prestage admin because we need them with skip account creation because we are using jamf connect 


    Did you end up finding a solution for this? I'm also running into the same issue trying to delete the PreStage admin account

    BookMac
    Forum|alt.badge.img+9
    • BookMac
    • Author
    • Jamf Heroes
    • January 31, 2025

    Hi @Jay_007,

    Unfortunately, I haven't received any clear statements from Jamf support. I don't delete the prestage anymore.

    Terms & ConditionsCookie settingsAccessibility statement