JAMF Self Service Policy Scoped Only to Local Admin Account

ksmith685
New Contributor

I am trying to create a policy in Self Service that is scoped out to all devices, but is only accessible for a certain local admin account to install/run. When devices are enrolled, a default local admin account is automatically created and we do not use LDAP, so I'm trying to find a way to limit this policy from being run by unauthorized users. Is there any way to accomplish this? Or is there perhaps a way to require admin credentials be entered before the policy can run?

The policy works great when I scope it to a test device, but as soon as I add the local admin account to the limitations, the policy is removed and disappears from Self Service. 

1 ACCEPTED SOLUTION

dennisnardi
Contributor

Scoping to users works when users sign into Self Service, not when signing into the computer itself. So you'd need to enable the ability to sign into Self Service, and make sure local admin account exists as an account you can log into Jamf with as well.

Most commonly, at least that I'm aware of, people scope policies to groups in their IDP that is integrated into Jamf - that way people in specific IDP groups can log into Self Service to get specific additional policies made available to them, regardless of what computer they're at. 

View solution in original post

3 REPLIES 3

dennisnardi
Contributor

Scoping to users works when users sign into Self Service, not when signing into the computer itself. So you'd need to enable the ability to sign into Self Service, and make sure local admin account exists as an account you can log into Jamf with as well.

Most commonly, at least that I'm aware of, people scope policies to groups in their IDP that is integrated into Jamf - that way people in specific IDP groups can log into Self Service to get specific additional policies made available to them, regardless of what computer they're at. 

Thank you! I was able to create a user account in JAMF to log into Self Service with and I could view the policy. The policy I created (to bind the machine to AD) isn't working, but I'm thinking that's unrelated and this got me started. Thanks again!

A_Collins
Contributor

There is 2 ways you can do this,

1st as dennisnardi said, make it available in self service and scope to that user. So you can from that computer. 

If the policy will run if that local account logged in, then you can write a simple script to run policy (adjust triggers the way you want)

#!/bin/sh

loggedInUser=$(stat -f %Su /dev/console)
localadmin="whateveryourlocaladmin"
policyTrigger="put-your-policy-trigger-here"

# Check if the desired account logged in
if [ "${loggedInUser}" == "${localadmin}" ]; then
	echo "Local admin logged in. Running policy"
  jamf policy -event "$policyTrigger"
  exit 0
else
  echo "different user exitin"
  exit 1
fi