What might be our direction if we need to implement different benchmarks based on different employees in organisation? If we need to restrict sudo/admin rights for the majority of our users but we have a small percentage of our users that require admin rights would we then just have multiple profiles for different users or would we just remove that profile/benchmark from that small workforce that requires admin rights? We may have a requirement where not every endpoint is the same and will need to allow for “uniqueness” in the environment.
If we deploy a configuration profile vs. a script how do we enforce those profiles so if a user has sudo/admin rights they won’t be able to uninstall our Tanium/Jamf/SEP clients?
You got a few things in here:
For the admin right settings I would go for Jamf Connect in combination with the privileges app. and scope this application for the people that may use admin rights with a approvement flow behind it. You can log the reasons why they need the admin rights with a syslog as well.
Then you got the prevention for the removal, I would make a smart group/search that mails the support team when that happens. I
don’t think you can completly prevent this removal but you can create a procedure for followup those issues.