Jamf Connect Demoting Admin User to Standard Account

nwsbear
New Contributor II

Using regular local user accounts with Jamf Connect (Azure). Not mobile, or network accounts.

When first logging in to machine with Connect, the local user account is created as an admin (per Jamf Login config) as expected. When the computer is restarted, the account is demoted to a Standard account until manually given admin rights. We want admin rights to be permanent.

I see this line in the Connect Login logs:
NoLoSwiftMech: Removing user from admin group

Any ideas? Thanks!

2 ACCEPTED SOLUTIONS

kowsar_ahmed
Contributor

Use OIDCAdmin attribute to specify this, we grant admin rights via admin group using: OIDCAdmin : Security group
OIDCAdminAttribute: Groups
For Azure it should be much easier. This does a check on the accounts when they log in and revokes any users not in the group, however just log a support call as i presume they have a key to leave every user as admin..

View solution in original post

nwsbear
New Contributor II

Thanks! I didn't realize that you had to specify that users remain admins. Actually just ended up using this since users are set as admins initially:

<key>OIDCIgnoreAdmin</key>
<true/>

View solution in original post

3 REPLIES 3

kowsar_ahmed
Contributor

Use OIDCAdmin attribute to specify this, we grant admin rights via admin group using: OIDCAdmin : Security group
OIDCAdminAttribute: Groups
For Azure it should be much easier. This does a check on the accounts when they log in and revokes any users not in the group, however just log a support call as i presume they have a key to leave every user as admin..

View solution in original post

nwsbear
New Contributor II

Thanks! I didn't realize that you had to specify that users remain admins. Actually just ended up using this since users are set as admins initially:

<key>OIDCIgnoreAdmin</key>
<true/>

View solution in original post

musat
Contributor II

Though I would reply to this to say that this OIDCIgnoreAdmin key is necessary for those using GSuite as an authentication service. Since you can't use group membership to determine admin rights.