Jamf Nation Community

pty10 · ‎11-23-2014

Just trying to get a better understanding on how local and management account works. If I setup a new local account (username and password) with admin rights and then I setup a management account:

Management account gives me the options of set a new password, randomly generate passwords, etc. if I choose the random generate passwords, will those passwords go with the new username I setup on the local admin account?
Is generating random passwords to keep unauthorized users from knowing with the password is or from those that know what the password is? (next time they try the same password, it will be a different one)
I read on the forum that you can have random passwords change every day, week, month. I don't see that option inside management accounts ( using JSS 9.6)

Cheers,

Henry

mm2270 · ‎11-24-2014

Randomizing the management password means that no human being actually knows the management account password on any managed Mac once thats been enabled. The JSS keeps track of it as it changes and updates the computer's record in the JSS with the new password. You will never know what it is, so I would not rely on being able to use it if you do that. That's actually a good thing. The management account should really be reserved for Casper's use exclusively, not for someone to log into or use for authentication purposes.
For that, set up a separate local admin account (preferably hidden) that you can use for times when you need local admin credentials on a Mac. Set up a strong password for it and you should be OK.
An advantage to this setup is that if someone figures out or obtains the password for that local account. you can use a policy to blow it away and create a new one with a different password, or script changing the password to something else. Having the management account separate from the regular local admin account gives you some extra options.

BTW, to actually randomize the management account password on your Macs, this is done within a policy. Create a new policy and add the Management Account payload, then from the "Action to take on computers" drop down menu, choose "Randomly generate new passwords" and set the character length you want. Set the policy frequency, like once a week, etc. and scope to all managed Macs, or just a subset if you prefer. Each day/week/month, as the Macs check in the policy will run and generate a new random password for the management account on that Mac and report it back to the JSS.

davidacland · ‎11-24-2014

We always use a hidden management account that is only for Casper's use, also randomizing it on a periodic basis.

We then add a hidden local admin account on the Macs for support staff.

We did try to be cleverer a while ago and have no local admin account. This was on the assumption that if the Mac lost its connection to AD we could add a local admin account using a policy or casper remote, get onto it and fix the issue. In reality we found this to be a step too far. A local admin account is really useful and when there is a problem, you don't want to be trying to create it at that point.

pty10 · ‎11-27-2014

mm2270 and David

Thanks for the tips. Question, after creating the local hidden admin account, how do you then change the password on that account if you need to?

davidacland · ‎11-27-2014

In the JSS policy options you can reset a local account password, I'd probably do it that way.

I was going to add a screenshot to show you but I don't think I can :(

Jamf Nation Community

Local Account and Management Account