Best way of changing the management account?

New Contributor III

So I think I'm pretty much there with the JSS I've inherited and got it running how I want. There's one thing left I definitely need to sort out... Currently the management account seems to be the main admin account on the Macs - I want to change this to using a hidden account for obvious reasons.

Would I be right in thinking that distributing a new quickadd package is the best way to go here?



Valued Contributor II

Yes. That's how I did it a few years ago doing the exact same thing.

Legendary Contributor III

Yeah, that's the best way. The Mac (re)enrolls using the new account that the QuickAdd.pkg creates or defines and it gets updated in the JSS to use that account as the management account.

As part of this process, you may want to look at some threads that discuss ways of setting up an EA that can capture the assigned management account for a Mac, that way you can keep track of the move from the old to new easier and even report on it. Even though the management account is standard information that Casper captures, its currently not a scope-able criteria, nor is it something you can drop into a report as a column of data.

Management account used EA?

There's probably an FR out there also asking for this to become something standard we can include in Smart Groups and reports without resorting to using the API in an Extension Attribute.

Contributor II

Keep in mind that re-enrolling will wipe the policy history for the computer record in the JSS, meaning a lot of your policies could end up running again depending on how they are setup.

I have an FR asking that a flag be added to the enrollment verb to prevent this


Legendary Contributor III

Good point @etippett! For us, its not much of an issue, but I can certainly understand why it could be a problem for some JSS setups.