Help

Jamf Connect Demoting Admin User to Standard Account

Go to solution
nwsbear
New Contributor II

Posted on ‎11-27-2019 06:25 AM

Using regular local user accounts with Jamf Connect (Azure). Not mobile, or network accounts.

When first logging in to machine with Connect, the local user account is created as an admin (per Jamf Login config) as expected. When the computer is restarted, the account is demoted to a Standard account until manually given admin rights. We want admin rights to be permanent.

I see this line in the Connect Login logs:
NoLoSwiftMech: Removing user from admin group

Any ideas? Thanks!

Labels:
0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
kowsar_ahmed
Contributor

Posted on ‎11-27-2019 07:14 AM

Use OIDCAdmin attribute to specify this, we grant admin rights via admin group using: OIDCAdmin : Security group
OIDCAdminAttribute: Groups
For Azure it should be much easier. This does a check on the accounts when they log in and revokes any users not in the group, however just log a support call as i presume they have a key to leave every user as admin..

View solution in original post

Reply

Go to solution
nwsbear
New Contributor II

Posted on ‎11-27-2019 08:30 AM

Thanks! I didn't realize that you had to specify that users remain admins. Actually just ended up using this since users are set as admins initially:

<key>OIDCIgnoreAdmin</key>
<true/>

View solution in original post

Reply
3 REPLIES 3

Go to solution
kowsar_ahmed
Contributor

Posted on ‎11-27-2019 07:14 AM

Use OIDCAdmin attribute to specify this, we grant admin rights via admin group using: OIDCAdmin : Security group
OIDCAdminAttribute: Groups
For Azure it should be much easier. This does a check on the accounts when they log in and revokes any users not in the group, however just log a support call as i presume they have a key to leave every user as admin..

Reply

Go to solution
nwsbear
New Contributor II

Posted on ‎11-27-2019 08:30 AM

Thanks! I didn't realize that you had to specify that users remain admins. Actually just ended up using this since users are set as admins initially:

<key>OIDCIgnoreAdmin</key>
<true/>

Reply

Go to solution
musat
Contributor III

Posted on ‎09-15-2020 05:56 AM

Though I would reply to this to say that this OIDCIgnoreAdmin key is necessary for those using GSuite as an authentication service. Since you can't use group membership to determine admin rights.

0 Kudos
Reply