Advise; Creating new Management Account

ThijsX
Valued Contributor
Valued Contributor

Hi there!

Just checking if anyone has pro-tips!

We currently have a management account on many devices with the same password, and that same local account is used for the helpdesk.

What i am trying to achieve is;
- Create a new hidden management account like "_management" on existing devices
- Still have the ability to use Jamf Remote
- When that is all done, set up macOS Laps for the helpdesk account. ( no help needed for this)

What is the best way to achieve this?

Already tried
- Create custom QuickAdd.pkg with params -noPolicy -noManage to prevent triggering Enrollment and other policies, _management gots created, but then Jamf Remote keeps "authenticating". In the JSS the device state has changed to managed: _management
- Create new local account with a Jamf policy and then make it hidden, edit device info and change management account, did it manually and the Actions option.
- Use jamf binary to create a account, change management accounts through Actions or device inventory

All feels fine, except Jamf Remote keeps trying to Authenticate so i guess the randomized / static pw for _management account does not get submitted correctly but weird fact is that if change it manually it still is not working.

When i change it back to the "old" management account Jamf Remote does his job.

Any suggestions on how to only change management account for macOS devices?

Cheers!

1 ACCEPTED SOLUTION

ThijsX
Valued Contributor
Valued Contributor

Ok so i did the following.

  • Created custom QuickAdd.pkg
  • After "enrollment" a change management account password kicks in which obviously takes care of storing the correct password in the DB.
  • Thing that maybe when not smooth at posting this discussions is that Jamf Remote his function "refresh data" does not refresh the stored pw.
#!/bin/sh

####################################################
################### Functions ######################
####################################################

inrange() {
  inrange_min_major=$(echo $1 | grep -o '^[0-9]+')
  inrange_min_minor=$(echo $1 | grep -o '.[0-9]+.' | grep -o '[0-9]+')
  inrange_min_patch=$(echo $1 | grep -o '[0-9]+$')
  inrange_max_major=$(echo $2 | grep -o '^[0-9]+')
  inrange_max_minor=$(echo $2 | grep -o '.[0-9]+.' | grep -o '[0-9]+')
  inrange_max_patch=$(echo $2 | grep -o '[0-9]+$')
  if [ "$major_version" -lt "$inrange_min_major" ]; then
    return 1
  elif [[ "$major_version" -gt "$inrange_max_major" ]]; then
    return 1
  elif [[ "$minor_version" -lt "$inrange_min_minor" ]]; then
    return 1
  elif [[ "$minor_version" -gt "$inrange_max_minor" ]]; then
    return 1
  elif [[ "$patch_version" -lt "$inrange_min_patch" ]]; then
    return 1
  elif [[ "$patch_version" -gt "$inrange_max_patch" ]]; then
    return 1
  else
    return 0
  fi
}

####################################################
## Use the correct binary for the os version
####################################################
jamf_root_path=/private/tmp/JAMFQuickAdd/Binaries/
os_version=$(system_profiler SPSoftwareDataType -xml | grep -A 2 'os_version</key>' | grep -o 'OS X [0-9]+.[0-9]+.[0-9]+|macOS [0-9]+.[0-9]+.[0-9]+' | grep -o '[0-9]+.[0-9]+.[0-9]+')
major_version=$(echo $os_version | grep -o '^[0-9]+')
minor_version=$(echo $os_version | grep -o '.[0-9]+.' | grep -o '[0-9]+')
patch_version=$(echo $os_version | grep -o '[0-9]+$')

jamf_path="${jamf_root_path}jamf_level1"

if inrange 10.9.0 10.9.999999 ; then
  jamf_path="${jamf_root_path}jamf_level2"
fi

if inrange 10.7.0 10.8.999999 ; then
  jamf_path="${jamf_root_path}jamf_level3"
fi

/usr/bin/tar -xf /private/tmp/JAMFQuickAdd/Binaries.tar.gz -C /private/tmp/JAMFQuickAdd

jamfCLIPath=/usr/local/jamf/bin/jamf

/bin/mkdir -p /usr/local/jamf/bin
/bin/mkdir -p /usr/local/bin
/bin/mv $jamf_path $jamfCLIPath
/bin/rm -r $jamf_root_path
/bin/ln -s $jamfCLIPath /usr/local/bin

/usr/sbin/chown 0:0 $jamfCLIPath
/bin/chmod 555 $jamfCLIPath

####################################################
## Create the configuration file at:
## /Library/Preferences/com.jamfsoftware.jamf.plist
####################################################
$jamfCLIPath createConf -url 'https://YOURJSS:8443/' -verifySSLCert always_except_during_enrollment

####################################################
## Turn on SSH
####################################################
$jamfCLIPath startSSH

####################################################
## Run enroll
####################################################
$jamfCLIPath enroll -invitation 649442556476261735123512349896777 -noPolicy -noManage
enrolled=$?
if [ $enrolled -eq 0 ]
then
  $jamfCLIPath update

## Commmented enrollmentComplete trigger out to prevent policies run again##
#  $jamfCLIPath policy -event enrollmentComplete
  enrolled=$?
fi


/bin/rm -rf /private/tmp/JAMFQuickAdd
exit $enrolled

View solution in original post

3 REPLIES 3

ThijsX
Valued Contributor
Valued Contributor

Ok so i did the following.

  • Created custom QuickAdd.pkg
  • After "enrollment" a change management account password kicks in which obviously takes care of storing the correct password in the DB.
  • Thing that maybe when not smooth at posting this discussions is that Jamf Remote his function "refresh data" does not refresh the stored pw.
#!/bin/sh

####################################################
################### Functions ######################
####################################################

inrange() {
  inrange_min_major=$(echo $1 | grep -o '^[0-9]+')
  inrange_min_minor=$(echo $1 | grep -o '.[0-9]+.' | grep -o '[0-9]+')
  inrange_min_patch=$(echo $1 | grep -o '[0-9]+$')
  inrange_max_major=$(echo $2 | grep -o '^[0-9]+')
  inrange_max_minor=$(echo $2 | grep -o '.[0-9]+.' | grep -o '[0-9]+')
  inrange_max_patch=$(echo $2 | grep -o '[0-9]+$')
  if [ "$major_version" -lt "$inrange_min_major" ]; then
    return 1
  elif [[ "$major_version" -gt "$inrange_max_major" ]]; then
    return 1
  elif [[ "$minor_version" -lt "$inrange_min_minor" ]]; then
    return 1
  elif [[ "$minor_version" -gt "$inrange_max_minor" ]]; then
    return 1
  elif [[ "$patch_version" -lt "$inrange_min_patch" ]]; then
    return 1
  elif [[ "$patch_version" -gt "$inrange_max_patch" ]]; then
    return 1
  else
    return 0
  fi
}

####################################################
## Use the correct binary for the os version
####################################################
jamf_root_path=/private/tmp/JAMFQuickAdd/Binaries/
os_version=$(system_profiler SPSoftwareDataType -xml | grep -A 2 'os_version</key>' | grep -o 'OS X [0-9]+.[0-9]+.[0-9]+|macOS [0-9]+.[0-9]+.[0-9]+' | grep -o '[0-9]+.[0-9]+.[0-9]+')
major_version=$(echo $os_version | grep -o '^[0-9]+')
minor_version=$(echo $os_version | grep -o '.[0-9]+.' | grep -o '[0-9]+')
patch_version=$(echo $os_version | grep -o '[0-9]+$')

jamf_path="${jamf_root_path}jamf_level1"

if inrange 10.9.0 10.9.999999 ; then
  jamf_path="${jamf_root_path}jamf_level2"
fi

if inrange 10.7.0 10.8.999999 ; then
  jamf_path="${jamf_root_path}jamf_level3"
fi

/usr/bin/tar -xf /private/tmp/JAMFQuickAdd/Binaries.tar.gz -C /private/tmp/JAMFQuickAdd

jamfCLIPath=/usr/local/jamf/bin/jamf

/bin/mkdir -p /usr/local/jamf/bin
/bin/mkdir -p /usr/local/bin
/bin/mv $jamf_path $jamfCLIPath
/bin/rm -r $jamf_root_path
/bin/ln -s $jamfCLIPath /usr/local/bin

/usr/sbin/chown 0:0 $jamfCLIPath
/bin/chmod 555 $jamfCLIPath

####################################################
## Create the configuration file at:
## /Library/Preferences/com.jamfsoftware.jamf.plist
####################################################
$jamfCLIPath createConf -url 'https://YOURJSS:8443/' -verifySSLCert always_except_during_enrollment

####################################################
## Turn on SSH
####################################################
$jamfCLIPath startSSH

####################################################
## Run enroll
####################################################
$jamfCLIPath enroll -invitation 649442556476261735123512349896777 -noPolicy -noManage
enrolled=$?
if [ $enrolled -eq 0 ]
then
  $jamfCLIPath update

## Commmented enrollmentComplete trigger out to prevent policies run again##
#  $jamfCLIPath policy -event enrollmentComplete
  enrolled=$?
fi


/bin/rm -rf /private/tmp/JAMFQuickAdd
exit $enrolled

mm2270
Legendary Contributor III

@txhaflaire This thread is a bit more than a year old now, but I was wondering if you still used the process as outlined above? I'm asking because I need to come up with a way to create a new management account on a number of existing enrolled Macs, some of them enrolled via Apple's automated device enrollment (formerly DEP), and I don't know if pushing a QuickAdd.pkg to existing enrolled Macs is a good idea now. Doesn't that undo the UAMDM setting in the device MDM profile now? If it does, this isn't a viable method anymore since UAMDM is an important item now, and some Config Profile payloads rely on it being set properly for full functionality.

Is there some other way to push a new management account to existing Macs, and have the account settings get updated in Jamf properly? Something that doesn't utilize the old outdated QuickAdd method perhaps? Or am I wrong in assuming that you should not use a QuickAdd.pkg install on Macs running 10.14.x or 10.15.x now?
I've been experimenting with this a little, but I haven't hit on the right process to go about this. If you (or anyone) has any ideas on how to do this I'd love to hear about it.

ThijsX
Valued Contributor
Valued Contributor

@mm2270

Currently we are not using this process anymore as at that time all our "old" management accounts were successfully migrated.
In my case it dit not reset UAMDM settings but not sure if it will be the case at this moment with Catalina being there.

With the QuickAdd.pkg i added the -noPolicy -noManage triggers to prevent jamf manage and jamf policy, also commented out the enrollmentComplete trigger to prevent any policies tied to that.

I suggest to give it a try on a test device?

Curious, for what are you using the Management account at this time ? as the management account only is being used for Jamf Remote as far i know.

I agree it's pretty cumbersome.