Best Practice for Mgmt/Local Admin accounts

eob455
New Contributor II

We recently learned that our student population somehow got the jamf mgmt account password. We want to switch to randomized passwords but we also use the mgmt account for working on the machine when admin priv is required. So obviously that will no longer be an option.

 

What are other people doing for local admin rights on managed computers? We could use domain credentials but in my experience it's not uncommon for Macs to lose their domain bind, and I see in the official docs that JAMF recommends a local account in case of domain disconnect.  So then I thought about making a hidden local admin account but then we're back to having one universal set of credentials and risk the students somehow getting this password. Any thoughts are appreciated.

1 ACCEPTED SOLUTION

damienbarrett
Valued Contributor

I have a non-hidden admin account created during enrollment, defined in my PreStage.

And then, if the password ever gets compromised, it's fairly easy to write a policy to change the password for that user on every machine. I've had to do it on more than one occasion.

It's entirely up to you whether you hide this this administrator account or not (both from Loginwindow and from Users & Groups).

Note that if you're enabling FileVault, you're going to have to have this user have a SecureToken to unlock FileVault. If it's the first user created (as happens during enrollment, as defined in the PreStage), then it automatically does. But then you'll also have to run a script to grant other users a SecureToken.

View solution in original post

7 REPLIES 7

damienbarrett
Valued Contributor

I have a non-hidden admin account created during enrollment, defined in my PreStage.

And then, if the password ever gets compromised, it's fairly easy to write a policy to change the password for that user on every machine. I've had to do it on more than one occasion.

It's entirely up to you whether you hide this this administrator account or not (both from Loginwindow and from Users & Groups).

Note that if you're enabling FileVault, you're going to have to have this user have a SecureToken to unlock FileVault. If it's the first user created (as happens during enrollment, as defined in the PreStage), then it automatically does. But then you'll also have to run a script to grant other users a SecureToken.

Can you please share how you were able to change password for a local admin account without breaking the SecureToken and FileVault.

 

Thanks

This is what I was doing. However, now that I think about it, it's been quite some time since I've tested this. I haven't had to change my admin account password in some time. I do have a script loaded up in Self Service to grant the Admin account a SecureToken, if there isn't one already granted. I should test how this works in Big Sur (pretty Mojave was the last OS I was doing this with). Your mileage may vary.

Sandy
Valued Contributor II

We have a local admin account for each school, so if a teacher was offsite and desperately needed it we would give them the admin credentials for their school. That account gets installed when a computer starts up on their SSID.

we have a global admin account as well which is never shared outside of tech.

We now have "Make me an admin for 30 minutes" in Self Service which really saved us during lockdown. It also has made our staff very happy and not caused any problems.  We've never used our jamf mgmt account for anything and it is hidden (it is so old it is named Casper 🙂  We went to randomized passwords a few years ago.

bsatterthwaite
New Contributor

This "Make Me an Admin" option sounds interesting, and would help with some potential changes we are considering. Is this something there is documentation on by chance? Or is it a couple simple policies and such that can be created and added to Self Service?

Awesome! I appreciate this. I will probably begin testing today or tomorrow. This should cut out on the amount of users with admin privileges that were only given "just in case."