Do you give your Faculty/Staff users admin rights?

wmehilos
Contributor

See title. Just trying to get a grip on what everyone is doing.

(Yes I know about Privileges.app)

25 REPLIES 25

mickgrant
Contributor III

In our school teachers are expected to provide there own laptop so yes they are local admin on them( we don't have the right to stop them being admins on their own equipment), we also add local admin to perform our management.

if they are provided with a temporary loan laptop if their's breaks down for instance, then they are only given a standard account

SVM-IT
New Contributor III

Our default is no, although there is an exception process. The person requesting admin access must get their supervisor to approve and submit an exception request. Then the IT department performs a technical review. If the exception is approved then they are provided the means to add admin privileges to their account for a short period of time. And the end user has to sign an agreement that they'll act knowingly and responsibly. The exception request expires every year on June 30 (but can be renewed).

Pauileoo7
New Contributor

In Our District we do give them Admin rights, we are working to an request for admin strategy for the summer.

mbootes
New Contributor II

In our school we do - give stff more flexibility and power to experiment to use their device.

applesupport-ne
New Contributor III

There is a way to give a user local admin right via Self Service (Admin assigns alotted time) thereafter when time runs out they get the admin access reverts back to standard user. I saw this on a Jamf JNUC but have never been able to implement the darn thing.

Volker
New Contributor III

Higher Ed here, private institution. Default for on-prem devices is default "no" for admin, but the exceptions are very, very many, due most of the time to purely political concerns. Home/remote issue is default "yes".

landon_Starr
Contributor

https://www.jamf.com/jamf-nation/discussions/30601/admin-rights-justification

:)

AdamCraig
Contributor III

Corporate here. And it depends on their role/if they have a business need. We actually have a set of policies and smart groups that checks the users title against AD and admin privileges will be given/taken away based upon their title, with a static group that is the people who have manager approved exceptions to the rule. If a user gets a promotion Jamf will usually make them an admin with in a day or so of the title change.

jefff
Contributor II

I see that you're also in higher ed, @wmehilos. At my current institution, we give admin rights by default, but there is talk of changing that.

At my previous institution, we gave nobody admin rights on their primary account, but allowed them to apply for an exception to get a separate account that would be given admin rights. The admin account was created in AD as username.admin and had no privileges on the network. It was only to be used for elevation, so the user could answer admin prompt requests on the Mac.

Dylan_YYC
Contributor III

We do..... However im really starting to question if thats such a smart move. With things like Self Service and patching, the need for local admins is kinda going away.

mark_mahabir
Valued Contributor

We do, although our staff have to apply via a feedback form and provide a business case as to why they think they need those rights. They also need to sign up to a code of conduct.

Lots of working off-site (as we don't currently have a working VPN) and developing your own software will often yield a positive response.

boberito
Valued Contributor

Yes. Everyone is an admin. Scientists don't like to function without admin rights.

damienbarrett
Valued Contributor

Please read the link posted above. There you will find justification for why almost every one of my users are admins.

PE2000
Contributor

Default No.

larry_barrett
Valued Contributor

During the past 4 years I've had exactly one staff member ask for Admin rights (and it was to install a game). K-12 school.

Whether you think it's a big deal or not is kinda irrelevant. The potential for abuse far outweighs the actual necessity of it.

Anytime I've received an "ask" for something that does a call out for credentials, I take it as an opportunity to use the tools JAMF has given us to prevent the "ask" in the future (via PPPC, et al). Institutionally, we have decided to block all 3rd party app developers. If its not in the App store, we'd build a package for it, do a direct download link via Self Service or manually approve it for a staff member.

I read the entire post mentioned by @damienbarrett and I haven't seen a single reason to allow our users admin access. I should note that we block OS upgrades during the school year.

jhuls
Contributor III

Community college here. Full time staff and faculty get admin while students and part time staff and faculty do not unless there is justification.

As mentioned in the thread posted above we have some cultural/political clashes here. Best practices are to not have admin rights but the president and faculty demand it...they have the power. Our department would like to see admin removed due to the overhead involved in supporting these practices. Discussion has occurred more than once but the idea of removing admin rights has always been shot down so we just look for ways to best accommodate the situation.

The temporary admin solution is one that I think mades the most sense to appease people here but the problem is that the Windows guys don't have a similar solution and no one wants to make that feel like it's imbalanced more than it already is. While it should be spun as more secure, the general thought is that it would be an inconvenience.

Matt_Roy93
Contributor

We currently allow all users to be admins in a K-12 environment, I would prefer a better solution but our users requested this right when the Macbook idea was pitched. There is an interesting solution I have been experimenting with, it was created by none other than Rich Trouton and is called Privileges.app, https://derflounder.wordpress.com/category/privileges-app/

Thanks!

pete_c
Contributor III

Internet startup at my last Jamf environment. No admin rights by default, but a 'promote to admin' button in Self Service set to expire in 30 minutes for all the developers and 5 minutes for everyone else.

The pro was that the task ran recon as soon as the timer expired; the con was educating the less technical users that they needed to click that promote button before they started their printer driver install etc.

The justification was to slow down any possible malware that the less technical sales staff might inadvertently install.

The biggest win from my perspective was that it was another driver towards Self Service, which then had all the other tasks presented, which meant less need for having admin rights in the first place, etc.

schickp
New Contributor II

K-12 here -- we give admin rights on our staff machines only. We're looking at alternatives. The self-service option seems to be where we're leaning.

a_hebert
New Contributor III

Our users had admin rights and we removed them. We are a K-12. It wasn't a painless process but it went rather smoothly. We made them printers admins so they could add home wireless and printers.

CSCC-JS
Contributor II

An alternate (non-free) solution would be to use CyberArk Viewfinity.
This solutions is for both windows and macOS.

It essentially intercepts the admin prompt, checks a approval list, and if pre-approved, grants admin rights without the user having admin rights. It also logs all admin prompt requests from what user and what app.

ben_hertenstein
Release Candidate Programs Tester

We allow staff to be admins on their machines. Every Now and then it will cause an issue, but must things can be prevented with good education of the end user.

phredman
New Contributor III

What is the process for y'all to convert admin accounts to non-admin accounts?

AdamCraig
Contributor III

@phredman These scripts are based on Smart Groups that use an EA that lists all the local admin accounts and the assigned users Title in AD to determine who is supposed to be an admin and who is not and fixes the people who have the incorrect access.

Demote user script

#!/bin/sh

## this will demote the current user if it is not AdminUserName
currentUser=$(ls -l /dev/console | awk '{ print $3 }')
echo "current user is $currentUser"

if [ $currentUser != "AdminUserName" ]; then
IsUserAdmin=$(id -G $currentUser| grep 80)
    if [ -n "$IsUserAdmin" ]; then
      /usr/sbin/dseditgroup -o edit -n /Local/Default -d $currentUser -t "user" "admin"
      exit 0
    else
        echo "$currentUser is not a local admin"
    fi
fi

promote user script

#!/bin/sh

## this will promote the current user if it is not AdminUserName
currentUser=$(ls -l /dev/console | awk '{ print $3 }')
echo "current user is $currentUser"

if [ $currentUser != "AdminUserName" ]; then
      /usr/sbin/dseditgroup -o edit -n /Local/Default -a $currentUser -t "user" "admin"
      echo "$currentUser is now a local admin"
      exit 0

fi

phredman
New Contributor III

@strayer - that's very helpful. Much appreciated.