CIS Benchmarks implementation via script vs configuration profiles

Contributor II

What might be our direction if we need to implement different benchmarks based on different employees in organisation? If we need to restrict sudo/admin rights for the majority of our users but we have a small percentage of our users that require admin rights would we then just have multiple profiles for different users or would we just remove that profile/benchmark from that small workforce that requires admin rights? We may have a requirement where not every endpoint is the same and will need to allow for “uniqueness” in the environment.

If we deploy a configuration profile vs. a script how do we enforce those profiles so if a user has sudo/admin rights they won’t be able to uninstall our Tanium/Jamf/SEP clients?

Sagar Rastogi

Esteemed Contributor II

Stumbled onto this question during a search for Tanium uninstall.

Have you looked at putting users who have approval for admin rights into an LDAP group, and excluding them from a policy (script) or Configuration Profile?



New Contributor II

You got a few things in here:

For the admin right settings I would go for Jamf Connect in combination with the privileges app. and scope this application for the people that may use admin rights with a approvement flow behind it. You can log the reasons why they need the admin rights with a syslog as well.


Then you got the prevention for the removal, I would make a smart group/search that mails the support team when that happens. I

don’t think you can completly prevent this removal but you can create a procedure for followup those issues.