Posted on 01-21-2020 04:26 AM
Does anyone have a good write up or comparison chart for Admin vs Standard users?
Looking to show functionality differences between the account types.
Posted on 01-21-2020 07:44 AM
There's not much to compare. Effectively, a standard user can only make changes that affect his or her home folder, the /Users/Shared folder and elsewhere as an admin allows. An admin can make system-wide changes as Apple allows (i.e. locations not protected by System Integrity Protection).
If you think of a computer as a hotel, a guest (user) has access to only his or her room and the privileges to use the amenities the hotel offers like the pool and restaurant. The manager (admin) has access to all rooms and is responsible for the hotel functioning like making sure the pool has water and the restaurant has food.
Are you looking for any guidance in particular?
Posted on 01-21-2020 08:19 AM
thanks @talkingmoose. Basically our Security Team is coming down with "We need to be like Windows and remove Admin rights from everyone." Currently all our Mac users are Admins. We are a 1:1 deployment with local accounts and we haven't seen much issue with everyone being an admin. Was just looking to give security a breakdown of the differences between standard and admin. I also informed them we can prevent access via jamf to particular places like Sharing Pane, Profiles Pane, etc.
Posted on 01-21-2020 10:53 AM
Better scenario:
Can you justify why they NEED to be admins? Corporate environment, they usually don't. Best practice from a security standpoint is to remove it. If you want, implement something like Jamf's "Make me Admin" script for the occasional use.
https://github.com/jamf/MakeMeAnAdmin
Posted on 05-27-2021 11:33 AM
@DBrowning I'm finding myself in a similar situation. Did you change your users to standard? How did it go? What road blocks should I be expecting when it comes to users wanting to install items or run some command lines that require sudo?
Thanks in advance
Posted on 05-27-2021 12:32 PM
@PianoDanno Our security department gave up. At least for now. So we haven't looked any further into it.
Posted on 05-28-2021 04:49 AM
All our users are standard users, even the ones with Laptops. All the desktops are managed by the IT department, we install Apps, generally via JAMF but there is the odd pain in the rear out there. Laptops are set up by us, and then the users have access to Self Service where they can install apps. We just have to put them in there ready for them to install. We have no problems with all of the users being standard users. I provide a script to elevate the Laptops to be able to install printers as a standard user, and that is the only thing I do above a standard user. Our Security people and our certification will not allow us any other way.
Posted on 05-28-2021 10:34 PM
This is a big and tricky subject to navigate. It highly depends on your Org's needs and culture. There are risks on all sides to consider. Removing local admin obviously removes the risk of an end user installing malicious or bad software as the admin user, but it also means that IT now has to package and provide everything. Depending on your Org's needs this may or may not scale at all.
Using any sort of admin on demand is also a mixed bag. If you can get admin on demand at any time, you are basically always an admin and this does not mitigate someone from getting temp admin and installing bad or malicious software, but the trade off could be that they won't be running local admin 100% of the time.
Software is a big factor, possibly the biggest. If you are going to revoke local admin, you must provide all the possible software to the end user they might need. This is a vastly different thing from Org to Org. Org 1 might have 50-100 apps in their app catalog and offerings, while Org 2 could have 10,000 apps. It is all about balance.
There is always a support cost to consider as well. Granting local admin means the human that is using the device can install a printer, or a piece of software when they need to. Revoking local admin means they will have to open a ticket and request this. Even if you go all out on automation you probably won't be able to cover every single use case. Even with tools like AutoPKG (which is one of the best open source Mac Admin tools out there) can run into limits when software packages are hidden behind auth walls or something like captcha. So, you might be assuming a lot of manual labor to revoke admin rights. Which is fine, but that means your Org should budget for more headcount to support this.