Help

Users Losing Admin rights after Software Update

user-jXpFVAbPRc
New Contributor

Posted on ‎10-26-2021 12:02 PM

We have some users that have admin rights on their machines. This is set manually by our IT dept using the check box under Users and Groups (allow users to administer this computer).

The problem is they lose their admin rights and go back to standard users after a MACOS update. 

 

I just tested and went from Big Sur to Monterrey with a user account set as admin and after the reboot and login, the user lost admin privs.

 

Is there something I am missing somewhere? 

 

Thank you.

0 Kudos
4 REPLIES 4

bmcdade
Contributor

Posted on ‎11-08-2021 02:49 AM

Did you get anywhere on this?  I seem to have a similar issue with accounts using the OIDCAdminClient value on an M1 running the latest Big Sur release.  My Account which is Admin, set by default and is in the OIDCAdminClient list seems to be demoted to standard on a reboot.  We often give the user Admin rights to the device and now it would be possible that they get removed.  We are looking into why this is happening.

0 Kudos

JohnMcNairLL
New Contributor

Posted on ‎01-21-2022 11:22 AM

Bumping this, as I am having the same issue with 2 users.  One is running Monterey 12.1 and the other is on 11.5.2.

We use Jamf Connect to set all users to Standard accounts, and then manually promote certain people to Admin via a dscl command.  But when these 2 users restart their systems, they lose admin privileges and I need to remote in and promote their account again.

For both of these users and systems, I have tried promoting their accounts via the Users & Groups PrefPane, but the same issue happens, they lose admin privileges after restarting.

Jamf Pro Cloud 10.35

Jamf Connect 2.5.0 (on both systems)

0 Kudos

bmcdade
Contributor
In response to JohnMcNairLL

Posted on ‎01-24-2022 12:41 AM

This sounds like the bug fix after 2.02.. I would have to find it but if you are using OIDC groups (admin and client) to define Admin rights, then after that release it seems Jamf fixed the issue of enforcing the group.  We would do the same often promote a user to Admin on their own hardware, however using later versions, the user needed to be in the OIDCAdminClient group to keep permissions (where previously they didn't).  Security wise this makes sense to enforce the groups however it isn't practical for our use case.

0 Kudos

JohnMcNairLL
New Contributor
In response to bmcdade

Posted on ‎04-13-2022 09:46 AM

@bmcdadethank you for the  explanation.  My Jamf support engineer came back with the same thing right after you did.

0 Kudos