Just trying to get a better understanding on how local and management account works. If I setup a new local account (username and password) with admin rights and then I setup a management account: Management account gives me the options of set a new password, randomly generate passwords, etc. if I choose the random generate passwords, will those passwords go with the new username I setup on the local admin account? Is generating random passwords to keep unauthorized users from knowing with the password is or from those that know what the password is? (next time they try the same password, it will be a different one) I read on the forum that you can have random passwords change every day, week, month. I don't see that option inside management accounts ( using JSS 9.6) Cheers, Henry

Question

Local Account and Management Account

Forum|Forum|11 years ago
November 24, 2014
4 replies
35 views

+6

pty10
Contributor

Just trying to get a better understanding on how local and management account works. If I setup a new local account (username and password) with admin rights and then I setup a management account:

Management account gives me the options of set a new password, randomly generate passwords, etc. if I choose the random generate passwords, will those passwords go with the new username I setup on the local admin account?
Is generating random passwords to keep unauthorized users from knowing with the password is or from those that know what the password is? (next time they try the same password, it will be a different one)
I read on the forum that you can have random passwords change every day, week, month. I don't see that option inside management accounts ( using JSS 9.6)

Cheers,

Henry

+24

mm2270
Legendary Contributor
Forum|Forum|11 years ago
November 24, 2014

Randomizing the management password means that no human being actually knows the management account password on any managed Mac once thats been enabled. The JSS keeps track of it as it changes and updates the computer's record in the JSS with the new password. You will never know what it is, so I would not rely on being able to use it if you do that. That's actually a good thing. The management account should really be reserved for Casper's use exclusively, not for someone to log into or use for authentication purposes.
For that, set up a separate local admin account (preferably hidden) that you can use for times when you need local admin credentials on a Mac. Set up a strong password for it and you should be OK.
An advantage to this setup is that if someone figures out or obtains the password for that local account. you can use a policy to blow it away and create a new one with a different password, or script changing the password to something else. Having the management account separate from the regular local admin account gives you some extra options.

BTW, to actually randomize the management account password on your Macs, this is done within a policy. Create a new policy and add the Management Account payload, then from the "Action to take on computers" drop down menu, choose "Randomly generate new passwords" and set the character length you want. Set the policy frequency, like once a week, etc. and scope to all managed Macs, or just a subset if you prefer. Each day/week/month, as the Macs check in the policy will run and generate a new random password for the management account on that Mac and report it back to the JSS.

Like

+18

davidacland
Valued Contributor
Forum|Forum|11 years ago
November 24, 2014

We always use a hidden management account that is only for Casper's use, also randomizing it on a periodic basis.

We then add a hidden local admin account on the Macs for support staff.

We did try to be cleverer a while ago and have no local admin account. This was on the assumption that if the Mac lost its connection to AD we could add a local admin account using a policy or casper remote, get onto it and fix the issue. In reality we found this to be a step too far. A local admin account is really useful and when there is a problem, you don't want to be trying to create it at that point.