Posted on 10-02-2023 01:25 PM
I am trying to create a policy in Self Service that is scoped out to all devices, but is only accessible for a certain local admin account to install/run. When devices are enrolled, a default local admin account is automatically created and we do not use LDAP, so I'm trying to find a way to limit this policy from being run by unauthorized users. Is there any way to accomplish this? Or is there perhaps a way to require admin credentials be entered before the policy can run?
The policy works great when I scope it to a test device, but as soon as I add the local admin account to the limitations, the policy is removed and disappears from Self Service.
Solved! Go to Solution.
Posted on 10-02-2023 08:17 PM
Scoping to users works when users sign into Self Service, not when signing into the computer itself. So you'd need to enable the ability to sign into Self Service, and make sure local admin account exists as an account you can log into Jamf with as well.
Most commonly, at least that I'm aware of, people scope policies to groups in their IDP that is integrated into Jamf - that way people in specific IDP groups can log into Self Service to get specific additional policies made available to them, regardless of what computer they're at.
Posted on 10-02-2023 08:17 PM
Scoping to users works when users sign into Self Service, not when signing into the computer itself. So you'd need to enable the ability to sign into Self Service, and make sure local admin account exists as an account you can log into Jamf with as well.
Most commonly, at least that I'm aware of, people scope policies to groups in their IDP that is integrated into Jamf - that way people in specific IDP groups can log into Self Service to get specific additional policies made available to them, regardless of what computer they're at.
Posted on 10-06-2023 06:15 AM
Thank you! I was able to create a user account in JAMF to log into Self Service with and I could view the policy. The policy I created (to bind the machine to AD) isn't working, but I'm thinking that's unrelated and this got me started. Thanks again!
Posted on 10-02-2023 08:46 PM
There is 2 ways you can do this,
1st as dennisnardi said, make it available in self service and scope to that user. So you can from that computer.
If the policy will run if that local account logged in, then you can write a simple script to run policy (adjust triggers the way you want)
#!/bin/sh
loggedInUser=$(stat -f %Su /dev/console)
localadmin="whateveryourlocaladmin"
policyTrigger="put-your-policy-trigger-here"
# Check if the desired account logged in
if [ "${loggedInUser}" == "${localadmin}" ]; then
echo "Local admin logged in. Running policy"
jamf policy -event "$policyTrigger"
exit 0
else
echo "different user exitin"
exit 1
fi