Least privileges for managed-by account

PhilS
New Contributor III

I've commenced worrying about having anonymous admin accounts on my Jamf Pro server. The account used for "Managed by" was set up as having full admin privileges and I'd like to believe that's excessive for the purpose. What is a good set of least privileges for this account, so it can still do what it needs to do but nothing else? (Auditors love asking questions like this.)

2 REPLIES 2

barpas
New Contributor II

Just to clarify, the "Managed by" account is created on your macOS devices directly based on the setting in the User-Initiated enrollment. If you have an account to access JamfPro with the same username they are not dependent on each other and its' presence or lack should not impact the functioning of the devices. So overall if that account in JamfPro isn't used by any users or API calls you don't need to have it there ;)

Tribruin
Valued Contributor II

The Jamf Management account is a holder to when Jamf Remote was still used regularly. Since Jamf Remote is no longer used by most admins, since it only works for on LAN connections, the value of the management account is questionable. It is not used by the jamf binary for running policies.  

I have seen some MacAdmins turn off creating this account completely. But, I am not there yet. But, if you are following best practice and creating the account with a random password, the account should be secure. The password is stored encrypted in the database and not something anyone can see.