Posted on 06-25-2024 01:06 PM
We have 300 Macs. Most of our users are developers with standard accounts, but they have the SAP Privileges app installed which allows them to elevate their account to admin.
We notice a lot of unapproved apps are installed. We need to stop this, so we are going to release the necessary apps to Self Service. We are planning to remove SAP Privileges from all users or limit SAP Privileges only to certain users.
Couple questions about this:
1. Once we have released the necessary apps to Self Service, is there any way to prevent users with SAP Privileges from installing other apps from other places (App Store, DMG and PKF files)? Dont want to use JAMF restricted software. Might be using Santa.
2. We know that adding printers require admin rights. What else should be configured in JAMF in advance to allow users to continue working normally and to minimize the number of contacts to the Service Desk? Which user tasks really require admin rights?
3. Are you still allowing adminstrator accounts? Why?
Posted on 06-25-2024 05:24 PM
1. It may be best adding a Privilege Access Management tool with the removal of admin rights, to help elevate access when required. You can run an environment without admin rights, it'll be easier if you also grant access to `sudoers` to those standard user accounts.
2. Standard users can add printers, if added to the lpadmin group.
3. We don't allow local user to have admin privs, but you have to make sure your environment is built for different scenarios... (macOS patching, Help Desk support that may require admin rights for troubleshooting, etc.)