Is there a way to either create or assign an admin account as the "management account" after enrollment? We were told by Jamf to turn off that feature in the user-initiated enrollment settings due to the recent issues that setting presents when enrolling (PI113195 - Account Creation is skipped if a management account is enabled under UIE on Mac OS Sonoma).
Obviously this isn't ideal but since we've had to turn it off, wondering if we can create an admin policy on newly enrolled machines and somehow make that the management account? Hoping that can be done. Creating the account is easy but unsure if able to tie it as the management account ¯\\_(ツ)_/¯
Solved
Management account after enrollment?
+6Best answer by talkingmoose
Is it truly that simple? That's great! Yes, it'd be a shared account for the support team. Is it better to have a script run to create the account or use the local accounts payload? 🤔 🤔
Just the Local Accounts payload should do well. It can create an admin account. You can optionally locate the home directory in the hidden /private folder (see the example above the field).
Depending on your needs for security, my recommendation would be to not create a shared IT admin account at all. It becomes a single vulnerability across all your computers. And enabling a shared IT admin account for FileVault makes that even worse.
Take a little time to plan your support workflows. When it’s generally available, use Jamf Pro’s LAPS account feature as your shared IT admin account. You can audit just who is using it. And escrow the FileVault Personal Recovery Key in Jamf Pro if you need access to unlock the disk. From an account perspective, you’ll have the most secure posture possible this way.
I’m not privy to our plans for our LAPS work, but I would hope it’ll be done by end of this year given the pace of its development.
+36Is this so you can use it as a shared IT admin account? If so, use a policy to create that account instead.
The Jamf Pro management account is currently getting integrated into Jamf Pro LAPS workflows and soon you’ll have less use for it as a shared account.
+11If I did not misunderstand, what you are asking is quite simple. Do it via policy using local accounts payload as talkingmoose said and put enrollment as a trigger.
+6Is it truly that simple? That's great! Yes, it'd be a shared account for the support team. Is it better to have a script run to create the account or use the local accounts payload? 🤔 🤔
+36Is it truly that simple? That's great! Yes, it'd be a shared account for the support team. Is it better to have a script run to create the account or use the local accounts payload? 🤔 🤔
Just the Local Accounts payload should do well. It can create an admin account. You can optionally locate the home directory in the hidden /private folder (see the example above the field).
Depending on your needs for security, my recommendation would be to not create a shared IT admin account at all. It becomes a single vulnerability across all your computers. And enabling a shared IT admin account for FileVault makes that even worse.
Take a little time to plan your support workflows. When it’s generally available, use Jamf Pro’s LAPS account feature as your shared IT admin account. You can audit just who is using it. And escrow the FileVault Personal Recovery Key in Jamf Pro if you need access to unlock the disk. From an account perspective, you’ll have the most secure posture possible this way.
I’m not privy to our plans for our LAPS work, but I would hope it’ll be done by end of this year given the pace of its development.
+6Just the Local Accounts payload should do well. It can create an admin account. You can optionally locate the home directory in the hidden /private folder (see the example above the field).
Depending on your needs for security, my recommendation would be to not create a shared IT admin account at all. It becomes a single vulnerability across all your computers. And enabling a shared IT admin account for FileVault makes that even worse.
Take a little time to plan your support workflows. When it’s generally available, use Jamf Pro’s LAPS account feature as your shared IT admin account. You can audit just who is using it. And escrow the FileVault Personal Recovery Key in Jamf Pro if you need access to unlock the disk. From an account perspective, you’ll have the most secure posture possible this way.
I’m not privy to our plans for our LAPS work, but I would hope it’ll be done by end of this year given the pace of its development.
Totally! When LAPS launched, it was tied to the management account and we enjoyed it's security. That was another reason why I was asking if we can create an account separately and somehow tie that to be the management account but seems it can only happen with the UIE settings :/ - hoping to fully use LAPS from this point on. We don't want to go back to a single local admin user with the same password again 😅
+36Totally! When LAPS launched, it was tied to the management account and we enjoyed it's security. That was another reason why I was asking if we can create an account separately and somehow tie that to be the management account but seems it can only happen with the UIE settings :/ - hoping to fully use LAPS from this point on. We don't want to go back to a single local admin user with the same password again 😅
So going back to the original question and the problem with PI113195... if the workaround for PI113195 is to disable creation of the Jamf management account, and there's no way to create or assign the Jamf management account after enrollment is complete, then any workflows related to LAPS using the Jamf management account are permanently broken on any machines being deployed with that workaround in place. Correct?
+8Following up on the original question, what can I do to incorporate the new LAPS functionality (for both Jamf framework and MDM, as we have both UIE and ADE-enrolled in our environment). Do I really have to re-enroll all my UIE machines because I had already turned off the management account for Jamf framework? I had been waiting for LAPS in the GUI to roll it out, but now it seems I can't without some major work.
+8Following up on the original question, what can I do to incorporate the new LAPS functionality (for both Jamf framework and MDM, as we have both UIE and ADE-enrolled in our environment). Do I really have to re-enroll all my UIE machines because I had already turned off the management account for Jamf framework? I had been waiting for LAPS in the GUI to roll it out, but now it seems I can't without some major work.
Solution here, I believe (looks promising in my limited testing):
https://community.jamf.com/t5/jamf-pro/retroactively-creating-jamf-laps-capable-admin-accounts/m-p/309862/highlight/true#M269599
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.