Skip to main content

I was wondering if anyone has had any experience in an environment where end users have administrator privileges? We are currently throwing around the idea of making users admins and restricting a majority of software and apps, like terminal and Torrent applications.



We currently don't have a dedicated Casper person to update and manage packages and it also would be a big perception booster for IT. Also, a major portion (read: all) of our end users aren't very savy with the computers - which is another reason we are really considering this.



Can anyone think of a reason to not allow end users admin access if we add a blacklist of applications and have smart groups that show us if anything changes? I would love to hear opinions and criticisms!

There are always applications you'll miss with a blacklist. No one could possibly make an exhaustive list of all applications that could do harm to the computer or your network, not entirely.



With admin privileges, they could turn SSH off, or change the password to your management account, or delete the account entirely, or force unbind the machine (if using a directory service). You can smart group it to flag any of those scenarios in your JSS, but then you're kind of at a loss to re-enforce your IT policies without getting your hands on the machine physically. The fallout in some extreme cases (i.e., a disgruntled employee) may not be worth the risk.



But if you can live with these, go crazy. Sounds nice. :P



Michael

@ndudley, have a look at the following thread for some discussion on the topic.
https://jamfnation.jamfsoftware.com/discussion.html?id=9329

If you want to just do specific users on specific computers, I'm using this as part of an extension attribute.



https://github.com/franton/Add-Users-as-Admin-JSS

@mpermann Thanks so much! I read that article when it first appeared, just completely forgot about it!

This all depends on your environment and user responsibility. Our faculty here are local admins and the students are not. There's always a back and forth. However, at least with Casper and profiles, it's not that bad. Once a user starts really breaking something you can come along and clean up after them... while making sure it doesn't happen again on anything else!

I've been looking at using the "Make Me Admin" option from @Andrina from her JNUC2013 presentation.
She's posted it all here: https://github.com/andrina/JNUC2013



It might be something you could leverage for your environment w/o unleashing full access to everything.

Terms & ConditionsCookie settings