- Jamf Nation Community
- Products
- Jamf Pro
- Re: Best Practice for Mgmt/Local Admin accounts
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 05:41 AM
We recently learned that our student population somehow got the jamf mgmt account password. We want to switch to randomized passwords but we also use the mgmt account for working on the machine when admin priv is required. So obviously that will no longer be an option.
What are other people doing for local admin rights on managed computers? We could use domain credentials but in my experience it's not uncommon for Macs to lose their domain bind, and I see in the official docs that JAMF recommends a local account in case of domain disconnect. So then I thought about making a hidden local admin account but then we're back to having one universal set of credentials and risk the students somehow getting this password. Any thoughts are appreciated.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 05:58 AM
I have a non-hidden admin account created during enrollment, defined in my PreStage.
And then, if the password ever gets compromised, it's fairly easy to write a policy to change the password for that user on every machine. I've had to do it on more than one occasion.
It's entirely up to you whether you hide this this administrator account or not (both from Loginwindow and from Users & Groups).
Note that if you're enabling FileVault, you're going to have to have this user have a SecureToken to unlock FileVault. If it's the first user created (as happens during enrollment, as defined in the PreStage), then it automatically does. But then you'll also have to run a script to grant other users a SecureToken.
Reply
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 05:58 AM
I have a non-hidden admin account created during enrollment, defined in my PreStage.
And then, if the password ever gets compromised, it's fairly easy to write a policy to change the password for that user on every machine. I've had to do it on more than one occasion.
It's entirely up to you whether you hide this this administrator account or not (both from Loginwindow and from Users & Groups).
Note that if you're enabling FileVault, you're going to have to have this user have a SecureToken to unlock FileVault. If it's the first user created (as happens during enrollment, as defined in the PreStage), then it automatically does. But then you'll also have to run a script to grant other users a SecureToken.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 10:57 AM
Can you please share how you were able to change password for a local admin account without breaking the SecureToken and FileVault.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 12:56 PM
This is what I was doing. However, now that I think about it, it's been quite some time since I've tested this. I haven't had to change my admin account password in some time. I do have a script loaded up in Self Service to grant the Admin account a SecureToken, if there isn't one already granted. I should test how this works in Big Sur (pretty Mojave was the last OS I was doing this with). Your mileage may vary.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 10:55 AM
We have a local admin account for each school, so if a teacher was offsite and desperately needed it we would give them the admin credentials for their school. That account gets installed when a computer starts up on their SSID.
we have a global admin account as well which is never shared outside of tech.
We now have "Make me an admin for 30 minutes" in Self Service which really saved us during lockdown. It also has made our staff very happy and not caused any problems. We've never used our jamf mgmt account for anything and it is hidden (it is so old it is named Casper 🙂 We went to randomized passwords a few years ago.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 11:45 AM
This "Make Me an Admin" option sounds interesting, and would help with some potential changes we are considering. Is this something there is documentation on by chance? Or is it a couple simple policies and such that can be created and added to Self Service?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 11:57 AM
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2021 12:03 PM
Awesome! I appreciate this. I will probably begin testing today or tomorrow. This should cut out on the amount of users with admin privileges that were only given "just in case."
