Jamf Nation Community

Benn · ‎09-08-2022

I want to enroll a Jamf Now Fundamentals setup to x3 new MacBook Pro's, I've configured the apps/software I require etc and am ready to enrol.

Do I need to setup a local Admin and Standard accounts on the new Macs before enrollment?
Or can I just get away with a Standard local account on the Mac?

As I may need to install additional apps that's are't available on the App Store.

chaz · ‎09-08-2022

Hey @Benn,

The first question is whether you will be using Auto-enrollment or Open Enrollment to enroll these Macs. Auto-enrollment does require an Apple Business Manager/Apple School Manager account as mentioned below:

https://docs.jamf.com/jamf-now/documentation/Automated_Device_Enrollment_in_Jamf_Now.html

If you are using Open Enrollment, the process of installing the enrollment profile does require admin credentials which is something to keep in mind. Any additionally deployed and managed app via Jamf Now would also require Apple Business Manager as macOS only supports licensed app deployment when using MDM. End users can always initiate app installs themselves via the App Store but that also requires admin credentials (if I recall correctly).

Chaz

bwoods · ‎09-08-2022

Personally, I prefer to always make the first user admin. They can be demoted at any time during the provisioning process.

Demote:

sudo dseditgroup -o edit -d "$(who | awk '/console/{ print $1 }')" -t user admin

Promote:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

It'll save you the trouble of learning everything about Secure Tokens, Bootstrap Tokens, and Volume Owners.

Benn · ‎09-13-2022

Could really do with your help in getting the promote command to work via terminal.

I used this command to change admin to standard user:
sudo dseditgroup -o edit -d UserName -t user admin

But now I can't figure out how to revert back to the admin account.

bwoods · ‎09-14-2022

@Benn , make user to "@" my username to get my attention. Okay, so if you're testing this in terminal you need sudo permission. However, there's a way to always run your commands as sudo...you have use the files and processes payload to execute commands. Create two new policies. One will demote and the other will promote. you can summon these policies with terminal with jamf commands (sudo jamf policy -id "policyidnumber" or sudo jamf policy -event "customtrigger".

Overall, you need to test these commands directly from your jamf pro server, and use jamf commands to summon the policies.

bwoods · ‎09-14-2022

Take a close look at the commands I posted above. There is a subtle difference between the two, specically "-a" (add/Promote) and "-d" (delete/demote).

Benn · ‎09-15-2022

@bwoodsmy issue is I am not using Jamf Pro, I am using Jamf Now.

Benn · ‎09-15-2022

@bwoods I am only using Jamf Now, Am I still going to be able to use the commands you mention?

bwoods · ‎09-15-2022

@Benn , I'm not really familiar with Jamf Now, but as long as you have the ability to deploy policies you should be able to do this. Otherwise, you won't be able to do this at scale.

Benn · ‎09-13-2022

Thanks for the msg, I'm having problems with the demote terminal code. Do I need to replace the "user admin" to the name of the user on the Mac I am using?

Benn · ‎09-13-2022

the error I am getting is in the screenshot attached

Benn · ‎09-13-2022

Used this command in the end:

sudo dseditgroup -o edit -d UserName -t user admin

Benn · ‎09-13-2022

Can anyone tell me how I revert this command:
sudo dseditgroup -o edit -d UserName -t user admin

I need to change the standard user back to Admin

Jamf Nation Community

Jamf Now Fundamentals - Local Admin account and Standard account on Macs