Jamf Nation Community

Chaz-C · ‎09-07-2023

Hi All,

I was wondering how my fellow admins handle this dangerous allowance if someone is a full admin. Some context is that you create a package and we scope by username however there is the option to change the default to "All mobile devices" instead of the default "Specific Mobile" devices. How are you guys handling this change control on this? I have heard of people using "Sites" to make sure that apps live in sites but this still doesn't prevent someone from 'mistakenly" scoping to all mobile devices.

jtrant · ‎09-07-2023

Other than limiting your admin users and training them on the correct procedures, there isn't much you can do here.

Strict change control procedures and ensuring there are two sets of eyes on each production change are the simplest controls I can think of.

Chaz-C · ‎09-07-2023

I just had an internal discussion with my team and various infra guys, and one of them said let's inspect via the chrome inspection option for the scoping page, and what do you know they said something I never even thought of. With a simple Chrome plugin, we have what appears to be a way to "block" or hide the "GUI" for "All Mobile Devices". We are testing right now and obviously, this would need to be run on my admins in the system.

Chaz-C · ‎09-07-2023

We got this working with a Chrome plug in as mentioned, checking with our team if we can post so that it helps the broader community. But in essence, creating a Chrome extension that hides the ID from being seen on that screen is how we are doing this.

jtrant · ‎09-14-2023

This is a great alternative, as long as they don't use another web browser.

I never thought of that to be honest.

Jamf Nation Community

Danger of "Scoping to all Mobile Devices" - Change Management