Hi all,
We are in the middle of configuring jamf Pro, and we need our MacBook users to have a standard account and then a secondary admin account, we are using Connect to link back to MS Entra and now wondering if it is possible to have a second account on the MacBooks for users to use as an admin account. All accounts would be created in Entra.
Thanks
Question
Secondary AD Admin account
+1
+23Here’s my question - what’s the use case here? Just to have a backdoor admin account? If so, use the prestage account and LAPS. If it’s for the users to have admin permissions, then why not use the temp admin access via JAMF connect?
That account that you’re asking for would be created on the fly at login - just make sure your JAMF connect configurations are set to have the group for the admin account to include admin permissions at login.
+1Here’s my question - what’s the use case here? Just to have a backdoor admin account? If so, use the prestage account and LAPS. If it’s for the users to have admin permissions, then why not use the temp admin access via JAMF connect?
That account that you’re asking for would be created on the fly at login - just make sure your JAMF connect configurations are set to have the group for the admin account to include admin permissions at login.
We are Cyber essential compliant, so part of this is for users to have a separate admin account, and not elevate standard. we are wanting to make sure that any user who needs to Elevate will do so on a second account.
Cheers
+23Here’s my question - what’s the use case here? Just to have a backdoor admin account? If so, use the prestage account and LAPS. If it’s for the users to have admin permissions, then why not use the temp admin access via JAMF connect?
That account that you’re asking for would be created on the fly at login - just make sure your JAMF connect configurations are set to have the group for the admin account to include admin permissions at login.
We are Cyber essential compliant, so part of this is for users to have a separate admin account, and not elevate standard. we are wanting to make sure that any user who needs to Elevate will do so on a second account.
Cheers
I get that - but also look where I work. All of our users are admins on their machines. We block east/west traffic. Essential applications (365, JAMF, Active Directory, VMware, etc. etc. ) we have a named admin login for and use delinea to house those creds.
The endpoint that the user is leveraging isn’t the issue if it’s setup properly (including network, firewalls, etc.).
Granted, we are looking to move users back to standard and request elevation when needed. I think AdminByRequest had something similar to what you’re wanting - but it’s been a while since I looked at it.
+1Here’s my question - what’s the use case here? Just to have a backdoor admin account? If so, use the prestage account and LAPS. If it’s for the users to have admin permissions, then why not use the temp admin access via JAMF connect?
That account that you’re asking for would be created on the fly at login - just make sure your JAMF connect configurations are set to have the group for the admin account to include admin permissions at login.
We are Cyber essential compliant, so part of this is for users to have a separate admin account, and not elevate standard. we are wanting to make sure that any user who needs to Elevate will do so on a second account.
Cheers
I get that - but also look where I work. All of our users are admins on their machines. We block east/west traffic. Essential applications (365, JAMF, Active Directory, VMware, etc. etc. ) we have a named admin login for and use delinea to house those creds.
The endpoint that the user is leveraging isn’t the issue if it’s setup properly (including network, firewalls, etc.).
Granted, we are looking to move users back to standard and request elevation when needed. I think AdminByRequest had something similar to what you’re wanting - but it’s been a while since I looked at it.
Totally get where you are coming from, but Cyber essentials state that you must have a secondary account that uses for example Privilidge Identitiy Management.
So on our MacBooks, we would need to have two accounts, one being the standard login account that most would just have and use day in day out, but then our Developers would need a second account that allows elevation ( not always on ) as and when they need to run admin tasks.
Cheers
Adam
Depending on the requirements (ie, if each user needed thier own password vs if the seconardy admin accounts could all use the same password) You could setup a policy to create a local admin account with a set password and scope it to every mac in your org. then as new macs came online it would simply create the local admin account as part of the onboarding.
I would agree that the elevation through Jamf Connect would be easier and, in my opnion, better. However, it seems you are running under certain requirements you are needing to satify. I’m only a few years into Jamf admin so their may be a more elegant solution to this. Possibly a scripting solution deployed via policy.
+12
We currently do this for our admin user, you can do it based on azure groups I think. This is what you need.
https://learn.jamf.com/en-US/bundle/technical-articles/page/Configuring_Local_Account_Role_Assignment_between_Jamf_Connect_and_Azure_AD.html
Hope it helps
Tom
+1
We currently do this for our admin user, you can do it based on azure groups I think. This is what you need.
https://learn.jamf.com/en-US/bundle/technical-articles/page/Configuring_Local_Account_Role_Assignment_between_Jamf_Connect_and_Azure_AD.html
Hope it helps
Tom
Tom
I am pretty sure this is what we are doing. but then once the admin account is used the std account password seems to be the elevation PW. which leads me to think something is not working correctly.
Cheers
Adam
+1
We currently do this for our admin user, you can do it based on azure groups I think.
Tom
Tom.
Does this mean you have two accounts on the MacBooks? one standard that the user logs on with and then an admin that is linked using Connect to run admin tasks.
Currently, if I use Selfservice+ to elevate I use a local device admin account but then the std account password becomes elevated. This will not pass CE. It must be a second account. Pre Jamf, the user just had a second account ( named local admin ) that they would use to run admin tasks, but this was always live, we are looking to make it so that the users need to elevate for a set amount of time then elevation is revoked.
Adam
+12Yes 2 seprate accounts one admin on standard both created via jamf connect.
Tom
+1Here’s my question - what’s the use case here? Just to have a backdoor admin account?
No in short.
The use case is for users to log on as std user, have no admin rights on that account at all. have a second account that they can elevate so that they can use for their daily admin tasks. At the moment I can only see that Selfservice+ will elevate the logged on user, not a second account that is on the machine. CE states that you must have a separate Admin account and the log on must be standard.
We currently run our Macs in Azure and have a local admin account created at enrolment that is always on ( so 24/7 admin granted ), we would like to make sure that these accounts are a std account unless the user needs to use admin privileges. and then we will be setting a time for elevation.
Hope this all makes sense.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.