Help

Give Mobile Account User Admin Access!

riaz_choudhry
New Contributor

Posted on ‎02-24-2020 04:57 AM

Currently in our organisation, all Macs are bound to AD so users have mobile account. I would like to know if there is a way to create mobile admin account without us always having to put the localadmin user password in. It makes the process very long as we have to type the password on all machine for a mobile account to be created.

0 Kudos
Reply
3 REPLIES 3

tuinte
Contributor III

Posted on ‎02-24-2020 06:48 AM

If they're all bound, fire this at them:

#!/bin/sh
dseditgroup -o edit -a "Group Name" -t group admin

Change "Group Name" to the name of an AD group with all users you want to be admin on bound machines.

If you're using a Jamf Directory Binding to bind them, you can add the same group to the Allow Administration By field in the Jamf Directory Bindings settings for all machines going forward.

Reply

Scotty
Contributor

Posted on ‎02-24-2020 07:10 AM

So we have a "Tech Tools" section in Self Service. it's only available to technicians when they login to Self Service. So when techs are setting up Mac they can use it to make the account right form Self Service. Using pretty much that command

Its a more elaborate script that checks for communication to the DC, check AD binding status, check that the user name you entered validly, then makes the mobile user with admin right. if anything fails it notifies the tech. It's pretty cool.

1c19e307d13541c3af0ce911c1627543

0 Kudos
Reply

ccliff
New Contributor II

Posted on ‎03-27-2020 09:47 AM

Would you be willing to share that policy you have in your Tech Tools for creating mobile accounts? I'm starting to work on building one for our environment but it would help to get a jumpstart. If you do share it, please make sure you remove any specific hostnames or service accounts from the script.

0 Kudos
Reply