Approach to having a local admin impervious to Password Configuration

rhernandez89
New Contributor

Hello all,

First post.
We are configuring our Jamf Cloud Instance for deployment and we have found a few gotchas based on our configuration for the password policy.

In detail we have enabled a configuration policy for a Passcode payload which requires:

Allow simple values (unchecked)
Alphanumeric values (checked)
Minimum Passcode length (8)
Maximum Passcode age (90)
Passcode History (5)
.
.

Computer Level Scope

The issue that we are having is that our local admin account on the MacOS machines enrolled with Jamf will fall on the password configuration scope.

This means that every 90 days we will have to change the password on each computer enrolled in Jamf with a new password that is not 5 of our previous passwords.

So how are you guys handling local admin accounts with Jamf? Do you guys have a means to get to the computer aside from the regular user account?
Is our password policy to strict?

In general what is your approach in this matter?

Thanks,
Ron

7 REPLIES 7

BoscoATX
New Contributor III

Hey Ron, We have a separate, hidden admin account only for Jamf (Management Accounts in Policies on the JSS) and a local admin account (Local Accounts in Policies on the JSS). The management account is hidden, only used by the server and has a 64 character randomized password. Local admin is our standard team log-in for helping our users and can be reset manually across all the managed computers via policy at whatever interval we need. I think of the Management Account as Jamf's exclusive access to enrolled machines as its never a real account to log into for our technicians. We even have a self-healing policy that runs monthly and re-adds the local admin account if it gets removed by one of our users that has admin (mostly laptops). Hope this helps. -Arthur

jimmy-swings
Contributor II

I raised a case recently with JAMF as I was having a similar issue where the management account had either expired, or the randomised password didn't meet the computer level passcode policy. This resulted in strange behaviour where the user would also be logged out of the device, and we we're unable to support the user / device using the JAMF Remote tools.

The work round was to continuous reset the management accounts passwords until it conformed, but the more strategic solution is to change the policy to a user level policy. This applies the passcode policy to the MDM Enabled user leaving the management account, and other accounts you create during enrolment / support outside the scope of the policy.

rhernandez89
New Contributor

Thank you for the answers.

BoscoATX The password policy is at the computer level scope so the local admin account would be affected by the password policy. The Jamf management account based on what support said it is also affected by the password policy (the password would expire). Does your password policy have a 'Maximum passcode age' and based on the max password age have you had to change the management account password?

jaz we have raised a case as well and user level policy was suggested but it was not working as expected. It was not provided a clear cut way on how to do it. Would you be able to share the configuration on how you applied the password policy for local accounts except (Example: admin account)

Thanks,
Ron

BoscoATX
New Contributor III

We don't have a 'Maximum passcode age'. We did have a standardized password for our management account but after some testing I ran a new policy to change the existing password to randomized 64 character. You might be able to create a smart group for expired accounts and scope a policy to that to update the password.

Also you can try limiting the Scope of the Configuration Profile. Under Scope, Exclusions, LDAP/Local Users you can add the names of the local and management accounts. I exclude our local admin accounts from policies so our techs have full access but haven't tried excluding accounts from configuration profiles but its worth a try.

BS071
New Contributor

@BoscoATX Can you confirm if adding the exclusion works, at a per-user level? I'm trying to accomplish the same idea (password policy with expirations) but looking to not affect the built-in IT 'service account' and the JAMF management account. We're currently using Configuration Profiles to achieve this. Not sure if policies are a better tool here.

I've tried to list the accounts for exclusion, but it looks like the policy is still applied.

Thanks

BoscoATX
New Contributor III

@BS071 I'm actually at a new job so I can't check my old setup. I do remember that I was able to successfully reset the password on our management accounts without affecting the local admin. I'd say if the Config Profiles aren't working for you there's plenty of scripts you could use to the same effect and apply through policy.

Wildy671
New Contributor II

@BS071 I am trying to scope out the local admin account currently for this but having no luck. Tried excluding "localadmin" as well as "local admin" but it doesn't seem to work. This is only causing us a problem with the reset after X days policy, our local admin account meets the rest of the criteria with its current configuration.