Help

CIS Benchmarks implementation via script vs configuration profiles

rastogisagar123
Contributor II

Posted on ‎10-18-2018 04:17 PM

What might be our direction if we need to implement different benchmarks based on different employees in organisation? If we need to restrict sudo/admin rights for the majority of our users but we have a small percentage of our users that require admin rights would we then just have multiple profiles for different users or would we just remove that profile/benchmark from that small workforce that requires admin rights? We may have a requirement where not every endpoint is the same and will need to allow for “uniqueness” in the environment.

If we deploy a configuration profile vs. a script how do we enforce those profiles so if a user has sudo/admin rights they won’t be able to uninstall our Tanium/Jamf/SEP clients?

Sagar Rastogi
0 Kudos
2 REPLIES 2

donmontalvo
Esteemed Contributor III

Posted on ‎03-11-2019 07:36 AM

Stumbled onto this question during a search for Tanium uninstall.

Have you looked at putting users who have approval for admin rights into an LDAP group, and excluding them from a policy (script) or Configuration Profile?

Don

--
https://donmontalvo.com
0 Kudos

dolfhoegaerts
New Contributor III

Posted on ‎08-19-2021 10:01 PM

You got a few things in here:

For the admin right settings I would go for Jamf Connect in combination with the privileges app. and scope this application for the people that may use admin rights with a approvement flow behind it. You can log the reasons why they need the admin rights with a syslog as well.

 

Then you got the prevention for the removal, I would make a smart group/search that mails the support team when that happens. I

don’t think you can completly prevent this removal but you can create a procedure for followup those issues.

0 Kudos