Jamf Nation Community

@martacarl It doesn't have any impact on FileVault management, and should not impact normal use, so I'd suggest you just leave it be as the Management Account will be going away soon.

From the Deprecations and Removal section of the Jamf Pro Release Notes:

Functionality to change the management account information for computers—

In an upcoming release, the ability to specify or modify computer management account credentials will be removed from Jamf Pro. This includes the following methods:

In addition, the ability to enable and disable the management account for FileVault via a policy will be removed, and the -sshUsername, -sshPassword, and -sshPasshash options for the recon command of the jamf binary on managed computers will be removed. This will not affect the standard inventory submission process for computers, but could affect certain custom workflows if used in your environment.

Moving forward, you can use the local administrator password solution (LAPS) to securely view and modify macOS account passwords on managed computers. For more information, see Local Administrator Password Solution (LAPS) in the Jamf Pro Release Notes 10.46.0.

This change will also simplify the way computers are considered managed by Jamf Pro. Currently, Jamf Pro reports a computer as managed only when Allow Jamf Pro to perform management tasks is selected in its inventory record and management account credentials are filled. After this functionality is removed, you will only need to select Allow Jamf Pro to perform management tasks for Jamf Pro to consider the computer managed.

There seems to still be a little confusion around the Jamf management account, and I'm wondering if anyone has further insight into this.

I've been tasked with possibly removing the Jamf management account from our Macs due to some concerns about having it on there. (Long story that has to do with the tool being used for compliance checking, that I won't get into here)

Suffice to say my response to this request was that I needed to research this, because I'm concerned about potential impact this could have on our devices. We don't use the management account for anything currently. It's just "there" as part of our enrollment process, but we also have a local admin account we use when required (very minimally), so the Jamf management account is never touched, logged into or anything.

In looking over the most recent Jamf 10.50.0 documentation, the wording states the following:

When you enroll a computer with Jamf Pro, you must specify a local administrator account called the "management account". However, choosing to create the management account on computers is optional and is only required for some workflows. The management account only needs to be created if you want to log in to a specific computer to perform management tasks.

This certainly makes it sound like it's optional and not really needed anymore. The legacy Jamf Remote.app is now gone, and I believe that was one of the reasons it existed.

However, in that same documentation, it also states:

Important: 

The management account must be created to allow use of local administrator password solution (LAPS) functionality, which you can use to manage the management account password. For more information, see the Local Administrator Password Solution for Jamf Pro technical paper.

Following the link above, I see this:

LAPS allows you to manage one or both of the following account passwords on a managed computer:

• The Jamf management account password. The Jamf management account is created on computers by selecting the following option in Jamf Pro: (Settings > User-initiated enrollment > macOS > Create management account. This account's password is managed by the Jamf management framework. For more information, see Management Accounts in the Jamf Pro Documentation.

  This type of LAPS is called "Jamf management framework LAPS".

• The managed administrator account password from a Prestage enrollment. You can create an additional administrator account by selecting the following option in Jamf Pro: (Computers > PreStage Enrollments > Account Settings > Create a local administrator account before the Setup Assistant). This account's password is managed by an MDM command. For more information, see "Provisioning Local Accounts during Automated Device Enrollment" in Automated Device Enrollment for Computers in the Jamf Pro Documentation.

  This type of LAPS is called "MDM LAPS".

So, this makes it sound like it's still "optional" even for LAPS, if you want to use the MDM LAPS and not the Jamf Management framework LAPS, despite the warning on the previous page that it was required for LAPS.

I guess this all makes it as clear as mud to me. Can the Jamf management account be removed? Will it affect the way the machines are listed in Jamf as far as managed or not? I don't really care too much about that if it's only cosmetic. As long as the MDM profile is in place, and the local jamf tools can communicate with the server, I think all is good. But I DO want to be able to use LAPS once I get my hands around it and can effectively manage it. It sounds like as long as we specify our actual local admin account as the LAPS account, I can ignore the Jamf management account, and, potentially remove it?