Posted on 06-13-2023 11:32 PM
I'm using Jamf Pro, and from what I've read online, the Jamf Management Account is optional, i.e. we only need it if we want to enable FileVault using policy (we don't).
But then again, the documents say that the management account is needed for Macs to considered managed by Jamf Pro.
I want to manage Macs via Jamf Pro, but I don't need to enable FileVault using policy (we do it via configuration profiles) - so do I still need to create management accounts, or not?
Additionally, some of my managed Macs seem to have the management account password gone out of sync with the Jamf server. Running the Jamf Management Account password rotation policy fails.
Does it have any actual impact, if I don't need to use the management account (i.e. enable FileVault via policy), and I can just leave it be?
If not, what's the right way to get the management account password in-sync with the Jamf server again?
Posted on 06-14-2023 04:38 AM
If you feel the bellow task are required, then you can use management account, else you can ignore it.
Using a policy to administer the management account allows you to do the following:
Screen sharing using Jamf Remote
Authentication to initiate an SSH session using Jamf Remote for the computer to check in to Jamf Pro to run policies
Enrolling computers with macOS 10.15.7 or earlier using Recon, including creating a QuickAdd.pkg for Jamf binary enrollments
Enable FileVault using a policy (when SecureToken is enabled on the management account)
Add or remove users from FileVault using a policy (when SecureToken is enabled on the management account)
Generate a personal recovery key using a policy (when SecureToken is enabled on the management account)
Perform authenticated restarts using a policy (when SecureToken is enabled on the management account)
https://docs.jamf.com/10.36.0/jamf-pro/documentation/Management_Accounts.html#:~:text=Using%20a%20po....
06-14-2023 06:28 AM - edited 06-14-2023 06:29 AM
@martacarl It doesn't have any impact on FileVault management, and should not impact normal use, so I'd suggest you just leave it be as the Management Account will be going away soon.
From the Deprecations and Removal section of the Jamf Pro Release Notes:
Functionality to change the management account information for computers—
In an upcoming release, the ability to specify or modify computer management account credentials will be removed from Jamf Pro. This includes the following methods:
Using the Classic API
Editing a computer inventory record's management account credentials
Using a mass action to edit the management account information on multiple computers
Specifying a password when creating a policy with a management account payload to change or reset the password on a computer
In addition, the ability to enable and disable the management account for FileVault via a policy will be removed, and the -sshUsername, -sshPassword, and -sshPasshash options for the recon command of the jamf binary on managed computers will be removed. This will not affect the standard inventory submission process for computers, but could affect certain custom workflows if used in your environment.
Moving forward, you can use the local administrator password solution (LAPS) to securely view and modify macOS account passwords on managed computers. For more information, see Local Administrator Password Solution (LAPS) in the Jamf Pro Release Notes 10.46.0.
This change will also simplify the way computers are considered managed by Jamf Pro. Currently, Jamf Pro reports a computer as managed only when Allow Jamf Pro to perform management tasks is selected in its inventory record and management account credentials are filled. After this functionality is removed, you will only need to select Allow Jamf Pro to perform management tasks for Jamf Pro to consider the computer managed.
Posted on 11-10-2023 01:56 PM
There seems to still be a little confusion around the Jamf management account, and I'm wondering if anyone has further insight into this.
I've been tasked with possibly removing the Jamf management account from our Macs due to some concerns about having it on there. (Long story that has to do with the tool being used for compliance checking, that I won't get into here)
Suffice to say my response to this request was that I needed to research this, because I'm concerned about potential impact this could have on our devices. We don't use the management account for anything currently. It's just "there" as part of our enrollment process, but we also have a local admin account we use when required (very minimally), so the Jamf management account is never touched, logged into or anything.
In looking over the most recent Jamf 10.50.0 documentation, the wording states the following:
When you enroll a computer with Jamf Pro, you must specify a local administrator account called the "management account". However, choosing to create the management account on computers is optional and is only required for some workflows. The management account only needs to be created if you want to log in to a specific computer to perform management tasks.
This certainly makes it sound like it's optional and not really needed anymore. The legacy Jamf Remote.app is now gone, and I believe that was one of the reasons it existed.
However, in that same documentation, it also states:
Important:
The management account must be created to allow use of local administrator password solution (LAPS) functionality, which you can use to manage the management account password. For more information, see the Local Administrator Password Solution for Jamf Pro technical paper.
Following the link above, I see this:
LAPS allows you to manage one or both of the following account passwords on a managed computer:
The Jamf management account password. The Jamf management account is created on computers by selecting the following option in Jamf Pro: (Settings > User-initiated enrollment > macOS > Create management account. This account's password is managed by the Jamf management framework. For more information, see Management Accounts in the Jamf Pro Documentation.
This type of LAPS is called "Jamf management framework LAPS".
The managed administrator account password from a Prestage enrollment. You can create an additional administrator account by selecting the following option in Jamf Pro: (Computers > PreStage Enrollments > Account Settings > Create a local administrator account before the Setup Assistant). This account's password is managed by an MDM command. For more information, see "Provisioning Local Accounts during Automated Device Enrollment" in Automated Device Enrollment for Computers in the Jamf Pro Documentation.
This type of LAPS is called "MDM LAPS".
So, this makes it sound like it's still "optional" even for LAPS, if you want to use the MDM LAPS and not the Jamf Management framework LAPS, despite the warning on the previous page that it was required for LAPS.
I guess this all makes it as clear as mud to me. Can the Jamf management account be removed? Will it affect the way the machines are listed in Jamf as far as managed or not? I don't really care too much about that if it's only cosmetic. As long as the MDM profile is in place, and the local jamf tools can communicate with the server, I think all is good. But I DO want to be able to use LAPS once I get my hands around it and can effectively manage it. It sounds like as long as we specify our actual local admin account as the LAPS account, I can ignore the Jamf management account, and, potentially remove it?