Jamf Connect / Azre AD / Admin and Standard User Roles

bottsc
New Contributor II

We're relatively new to Jamf Connect and haven't fully deployed it yet. 

Currently, employees are administrators on their assigned computer. However, in classrooms/labs users are not given administrator rights. In the Jamf Connect App roles setting in Azure, it looks like we need to either assign users as admin or standard. Is it possible to ensure employees are admins when they login to their 1:1 device but a standard user in a lab? It was suggested that we stop giving users admin access on their primary machine, but I'm not sure how well that would be accepted at this point...

11 REPLIES 11

dvasquez
Contributor III

I believe it has to be one or the other. 

I would use the admin or the standard that is a part of the largest deployment. 

Then use a policy and a script to make specific scoped computer locations standard accounts. 

Hope that makes sense. 

I will also help you look this up more. 

dvasquez
Contributor III

bottsc
New Contributor II

Thanks. I did review those instructions, and I do have roles setup in Azure. I don't see a way to set admin/standard users based on the computer they login to.

I hear you.

What I mentioned was if you have a location or building set up. You can consolidate those computers in a smart group and tie them to a script that later makes the user accounts standard while allowing Jamf Connect to create all admin roles for the others, or the reverse. I am in no way saying this is perfect but you can test. We currently set all computers to admin local accounts and demobilized them. 

hmadani
New Contributor II

dumb question as I'm also new to JAMF connect but don't want to make a new thread: where do I get their packages from? I recently started this position and JAMF connect was already in a policy for v 2.4 but I want to update that to at least v2.7. No idea where to get older versions though 

bottsc
New Contributor II

You can find the package files in your Jamf account )https://www.jamf.com/login/). You can also configure Jamf Connect updates: https://docs.jamf.com/jamf-connect/2.10.0/documentation/Jamf_Connect_Updates.html

hmadani
New Contributor II

thanks for the document. I was under the assumption I would have to manually upload a new jamf connect package but you can do it automatically. always love that to save time 
I also got ahold of someone from JAMF and he informed me that I can just log into https://account.jamf.com/ and click on products > connect > click on view previous versions. 

Azalin
New Contributor

I think easiest way to do is, create a policy with login trigger for that computers to make user standard. so user can login as admin but policy can turn them into standard. I haven't tested but in theory should work. 

 

loggedInUser=$(last | awk '/console/ && !/root/' | head -n 1| awk ' {print $1}')

dseditgroup -o edit -d $loggedInUser -t user admin

vinu_thankachan
Contributor

check the Universal User Role Settings :

try setting CreateAdminuser as false 

https://docs.jamf.com/jamf-connect/2.10.0/documentation/Login_Window_Preferences.html?hl=createadmin...

Screen Shot 2022-03-24 at 5.51.07 PM.png

Hello, adding to this thread. I am unsure how you are creating the payloads for distribution, using the configuration tool to create them right out of the console? Creating the configurations right from the Jamf Pro console was extremely easy and helpful and I recommend it. Understanding you need to add additional packages and policies tied to deployment. Always test and ensure you see the correct outcome. 

The one thing we def use the configuration app for is testing OIDC and ROPG. I really think that is excellent. 

ceeateadminuser settings is available in jamfpro comsoleScreen Shot 2022-03-24 at 8.31.31 PM.png