Skip to main content

What might be our direction if we need to implement different benchmarks based on different employees in organisation? If we need to restrict sudo/admin rights for the majority of our users but we have a small percentage of our users that require admin rights would we then just have multiple profiles for different users or would we just remove that profile/benchmark from that small workforce that requires admin rights? We may have a requirement where not every endpoint is the same and will need to allow for “uniqueness” in the environment.



If we deploy a configuration profile vs. a script how do we enforce those profiles so if a user has sudo/admin rights they won’t be able to uninstall our Tanium/Jamf/SEP clients?

Stumbled onto this question during a search for Tanium uninstall.



Have you looked at putting users who have approval for admin rights into an LDAP group, and excluding them from a policy (script) or Configuration Profile?



Don

You got a few things in here:

For the admin right settings I would go for Jamf Connect in combination with the privileges app. and scope this application for the people that may use admin rights with a approvement flow behind it. You can log the reasons why they need the admin rights with a syslog as well.

 

Then you got the prevention for the removal, I would make a smart group/search that mails the support team when that happens. I

don’t think you can completly prevent this removal but you can create a procedure for followup those issues.

Reply


Terms & ConditionsCookie settings