Posted on 10-25-2024 05:19 AM
I got a bit frustrated the other day because, well, most folks have teams of people to configure these token settings, dig into the claims, and get everything working seamlessly. Meanwhile, I had NO IDEA what I was doing. As someone who manages desktop technicians, I work closely with them to handle the technical aspects of both macOS and Windows environments.
When I first dove into the Jamf Connect documentation on temporary elevation permissions, I’ll admit—I got a bit... annoyed. It didn't feel very easy for what seemed like a straightforward task.
So, if you’re in a similar boat, trying to configure these permissions with existing setups, this guide is for you. I’ve broken down the steps to make it a little less painful and help you get up and running without reinventing the wheel.
Open Jamf Connect Configuration Tool:
.plist
from Jamf, if needed, and import it.Navigate to the "Connect" Menu:
Enable Temporary User Promotion:
Set User Promotion Timer:
Enable Verify User Promotion:
Enable Promotion Reason Field:
Add Reasons for Elevation:
Set Admin Attribute:
"roles"
(reflecting the group type used in Azure Entra).Add User Promotion Role:
Save and Export Configuration:
Access Azure Portal:
Configure Token Claims:
Create App Role:
Local Admin
Users/Groups
LocalAdmin
(important—this must match the Jamf Connect configuration).Assign the App Role to Users/Groups:
Validate Configuration:
This guide ensures a seamless configuration of temporary permissions in Jamf Connect by integrating with Azure Entra. Once the roles and claims are correctly configured, you can grant temporary admin privileges to macOS users dynamically and securely.
Note: If I missed anything, just let me know!
Posted on 10-25-2024 06:15 AM
Ill agree Jamfs documentation on this could be due to be clearer. I got everything setup a few months ago, and it immediately failed a security review which I should have seen coming. All of this process still makes the user an administrator, not the tech, and added our entire workforce is remote so the tech is never sitting in the user's lap.
We already had an Endpoint Permissions Manager in place, but I was hoping this would be a nice fall back, but it still has too many gaps that Jamf may not even be able to close.
Posted on 10-25-2024 06:19 AM
Our use case involved managing local admin access on both Windows and macOS. Previously, we maintained individual policies for each user and their assigned device. Now, by utilizing group management through Azure, we streamline the process—eliminating the need to recreate policies from scratch each time. Naturally, we have established policies and procedures to support this transition.
Posted on 10-25-2024 06:24 AM
My employer has a very low risk tolerance. No users have elevated access on Windows or macOS, some support techs have admin accounts that they use on Windows to "run as" and the EPM tool fills gaps. On macOS if the EPM can't do it, the IAM team will use the EPM tool to promote the user to admin or we use Jamf to script the task. We would love a way for our admin accounts to work on macOS without having to log in to the OS to build the account, but alas that is not how macOS works lol.