What might be our direction if we need to implement different benchmarks based on different employees in organisation? If we need to restrict sudo/admin rights for the majority of our users but we have a small percentage of our users that require admin rights would we then just have multiple profiles for different users or would we just remove that profile/benchmark from that small workforce that requires admin rights? We may have a requirement where not every endpoint is the same and will need to allow for “uniqueness” in the environment.
If we deploy a configuration profile vs. a script how do we enforce those profiles so if a user has sudo/admin rights they won’t be able to uninstall our Tanium/Jamf/SEP clients?