Hi all,
We are in the middle of configuring jamf Pro, and we need our MacBook users to have a standard account and then a secondary admin account, we are using Connect to link back to MS Entra and now wondering if it is possible to have a second account on the MacBooks for users to use as an admin account. All accounts would be created in Entra.
Thanks
Question
Secondary AD Admin account
+1
+23Here’s my question - what’s the use case here? Just to have a backdoor admin account? If so, use the prestage account and LAPS. If it’s for the users to have admin permissions, then why not use the temp admin access via JAMF connect?
That account that you’re asking for would be created on the fly at login - just make sure your JAMF connect configurations are set to have the group for the admin account to include admin permissions at login.
+1Here’s my question - what’s the use case here? Just to have a backdoor admin account? If so, use the prestage account and LAPS. If it’s for the users to have admin permissions, then why not use the temp admin access via JAMF connect?
That account that you’re asking for would be created on the fly at login - just make sure your JAMF connect configurations are set to have the group for the admin account to include admin permissions at login.
We are Cyber essential compliant, so part of this is for users to have a separate admin account, and not elevate standard. we are wanting to make sure that any user who needs to Elevate will do so on a second account.
Cheers
+23Here’s my question - what’s the use case here? Just to have a backdoor admin account? If so, use the prestage account and LAPS. If it’s for the users to have admin permissions, then why not use the temp admin access via JAMF connect?
That account that you’re asking for would be created on the fly at login - just make sure your JAMF connect configurations are set to have the group for the admin account to include admin permissions at login.
We are Cyber essential compliant, so part of this is for users to have a separate admin account, and not elevate standard. we are wanting to make sure that any user who needs to Elevate will do so on a second account.
Cheers
I get that - but also look where I work. All of our users are admins on their machines. We block east/west traffic. Essential applications (365, JAMF, Active Directory, VMware, etc. etc. ) we have a named admin login for and use delinea to house those creds.
The endpoint that the user is leveraging isn’t the issue if it’s setup properly (including network, firewalls, etc.).
Granted, we are looking to move users back to standard and request elevation when needed. I think AdminByRequest had something similar to what you’re wanting - but it’s been a while since I looked at it.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.