Jamf Nation Community

mconners · ‎04-21-2016

First off, I know this has been discussed at varying degrees over the past and I appreciate all of you who have chimed in and shared. This discussion is surrounding what to expect so I can be prepared.

At our college, employee users of their Macs or PC's have local admin rights, currently. There is a discussion that is gaining strength about removing the local admin rights from our computers that are owned by the college. I know the advantages of not running as local admin. However there are considerations to make when we indeed remove the local admin abilities.

Who of you have gone through this exercise and what were your experiences? Did you find gotchas that were taken for granted until after the fact? For instance, adding printers? How about specific single application updates that we won't be packaging for, those apps that the instructor needs for their class but I won't be touching?

Anything you can share would be welcome information so I can best prepare for the inevitable. Making sure I can take care of our customers here is critical. As I am the only Apple guy for the entire college, having my ducks in a row would be important.

Thank you,

Mick

roiegat · ‎04-21-2016

So we went from all laptop users having admin right, to removing it completely. The reason they needed it was because they needed to change their proxy settings at home to be able to VPN in. So I wrote a script that would detect their location and set proxies based off that.

So when we decided to remove admin rights, we had to ensure that users can still perform the functions they need. So we used a configuration profile to allow them to do somethings and prohibit others - that's a good starting point. But we also surveyed the users to see what they use admin access for and see if it can be remediated with a self service policy or a script.

But, there will always be users who actually need admin access. We have developers who work in Xcode and need sudo access and things like that. So what we did was create a new user account for them in AD that was added to a special AD role LOCAL_ADMIN_$computer name. Then told the machine that the role can administer it. So if a user needed admin access, they would only have admin access on their machines an nobody elses.

One caveat I would mention is making sure users are aware of what you are doing and the timeline it will be done it. We started communications about a month before the fact, along with instructions on how to request the admin access. We emailed three weeks out, and then weekly. I worked directly with the Info Sec team to look over the admin requests as well to see if their reason was legit.

Good luck! Removing admin won't make you popular on campus.

pete_c · ‎04-21-2016

When my last agency was purchased and rolled into a new company, the existing IT powers-that-were decreed that all users would have local administrative rights, which was a complete reversal from my previous policy.

I expected the worst.

However, out of hundreds of users and systems, I can only think of a handful of instances where someone (ab)used their new privileges - installing pirated software or deleting something mission critical for their role.

I'd like to second @roiegat's comments above and stress the importance of effective communication and policy: any reduction in a user's abilities should be well-documented, with an explanation of the rationale and a mechanism for allowing someone to present a case why they need admin rights. I wouldn't characterize it as CYA, but as opening and maintaining a dialog so that the user base understands decisions being made on their behalf.

I'd also consider a pilot program - identify some test users, make the change, circle back in a few months and dissect what implications, if any, the changes had.

All of that said I'm still firmly on the side of disallowing admin rights on company/institutional equipment. Ransomware is only going to become a greater threat over time.

tnielsen · ‎04-21-2016

@roiegat This

How's that for stellar contribution.

easyedc · ‎04-22-2016

I'll throw my 2¢ into this discussion. We have a mostly developer class user base. As such they often feel that they should be local admins. When ever we've given them any flexibility we've seen things go amok. We have one group that persistently removes the JAMF framework ('natch since the instructions are easy to find on the internet). We have found that a carrot/stick method to control that somewhat helps. The ability to remotely blacklist them from the internet usually gets their attention.

AVmcclint · ‎04-22-2016

Some things to consider are:

1 how big is your support staff? If you only have 1 or 2 Mac techs and 500 users with admin rights, you're asking for trouble. You can threaten users with a 'stern talking-to' if they abuse their rights but we all know that isn't an effective deterrent.
2. how experienced are the users who require admin rights? If the users barely know how to operate an open/save dialog box, then giving them the keys to the castle is not a good idea.
3. do users need complete unfettered admin access to everything on the computer or just for a small set of tasks like being able to add/remove printers? If it's just a few items that dictate their request for admin rights, there are USUALLY scripts or single commands that can be run to accomplish that without sacrificing security.
4. are the computers in a lab setting where multiple people with admin rights come and go? Something like DeepFreeze could allow them to do what they want, and to restore back to a known-good state all you have to do is restart the computer all while still giving users a local space to save files.
5. what are the risks to company data? All it takes is one careless admin user to run an unknown installer that infects the computer with a trojan or ransomware.
6. in rare circumstances users may have a program they need to run that absolutely much be run as admin and there's no way to trick it. Situations like that will need to be weighed with all the other considerations to determine the best way to handle it so it fits your organization's security plan.
7. How prepared are you to completely re-image a computer at a moment's notice? All the stern warnings and acceptable use policies in the world still won't prevent admin users from completely screwing things up to the point where re-imaging is more efficient than trying to undo whatever they did.

dwandro92 · ‎04-22-2016

You might want to look into PowerBroker for Mac as a possible solution.

Kevin · ‎04-22-2016

This response only applies to business admins. Education is different for obvious reasons.

I have been a Mac admin for 19 years. I resisted giving admin rights to the user for years. OS X was awesome. It eliminated so many issues we had with System 9, 8, 7 etc… Then, I had a revelation: IT doesn't own these computers–the business does. (even if your IT shop buys and "owns" the units, there would be no need if there wasn't a business user for it. Funds from the business pay for everything, so in effect, the business always owns the devices).

What right do I have to tell the owner of a tool (the Mac) that they can't have full use of it? My role is to create an environment where they can safely (for them and the organization) do their job. They often have business needs that warrant installing software, etc… It is their computer. They use me only to provide them with service. I need them. They don't need me. If I don't provide them with good service, they can get somebody else to provide it. My job exists because of their need, not the other way around. I want to be a trusted partner to the business.

I have moved from a decidedly old school IT mentality (lock the "user" down) to a more customer-centric attitude. Give the "customer" what they want. Giving them what they want in a safe, secure manner is my responsibility.

dwandro92 · ‎04-22-2016

Well stated, @Kevin.

mconners · ‎04-22-2016

Thank you to everyone who has responded and those who are about to type in something on this topic. I too feel the same way about my position being driven by the customer-centric model. Over the course of 30+ years in higher ed and K-12 support, I have found more and more reason for users to ask me how to improve their computing environment. I can make their lives better!

With Casper and Self service, I have been given a tool shed full of equipment to help with this model. We have more and more competition around us in the world of learning and if we make it too difficult for our students and our employees to do their jobs, then I haven't done mine very well.

We used to have badges that said, "Students First." I never needed a badge to remind me of my purpose. Of course student Macs don't have an admin account that others have access to. Employee equipment on the other hand, I certainly don't have the man power to develop all kinds of work arounds to allow our users to mimic the need for local admin.

At this point, given the tools I have, I now have users contacting me almost daily about permissions to add this or delete this or install that. I feel if I barge into their world and strip them of essential tools, then this wonderful relationship and rapport I have built will slowly deteriorate. Talking with colleagues here on the PC side of the world, a Mac user running as admin versus a PC user running as admin are really different animals.

Again, thank you all for your input, this has been very helpful.

Mick

davidacland · ‎04-22-2016

Hi,

Last year I tried running as a non-admin for ~6 weeks and logged all administrative requests, then blogged about it here: http://www.amsys.co.uk/2015/07/life-non-admin/?nabe=6486817002487808:0&utm_referrer=https%3A%2F%2Fww...

It will differ greatly depending on the role. When I was doing "manager" type stuff, I rarely saw a prompt. When I started doing IT admin type stuff, it was unbearable.

Controlling what apps are installed and when they get updated seemed to be key. Taking away the users rights will put the full burden on the IT team that they need to be ready for.

Jamf Nation Community

Admin versus Standard Users