Help

Local account control on user initiated enrolment devices

_aDiedericks
Contributor

Posted on ‎01-11-2023 01:26 AM

Hi there,

 

We've recently migrated all our devices to jamf Pro from Meraki MDM. Our concern is because of how the jamf migrate tool brings devices into jamf Pro as user initiated enrolments that we are not able to manage local accounts the same way we would in prestage/ade enrolled devices.

 

Is anyone aware of a means of getting control of the local user account that would make it possible for us to either delete or change the password of that account of the employee leaves? Since 80% of our devices have been enrolled in this fashion we'd be willing to use a paid solution as well.

0 Kudos
Reply
3 REPLIES 3

Tribruin
Valued Contributor II

Posted on ‎01-11-2023 06:24 AM

Being User Enrolled or enrolled via ADE should not matter. Managing user accounts should be the same. 

 

However, due to Apple limitations, if a user has a Secure Token (i.e. can unlock the FileVault), then the system will not let Jamf change the password. (I assume deletion is similar, but never tried it.) 

We have a similar situation, so what we do is issue a Lock computer command. if the user is online, the command is nearly instantaneous, and if they are not online, it will lock the computer as soon as they come online. Once we retrieve the computer, a tech unlocks it using the PIN code in Jamf and resets the user password using the FileVault recovery key, 

0 Kudos
Reply

AJPinto
Honored Contributor III

Posted on ‎01-11-2023 06:35 AM

To cut the sales talk. There is technically no such thing as migrating a device in to a new MDM instance. If you actually want to manage Macs and move from one MDM to another, you need to wipe and load. Beyond Secure Tokens which only provided with Automated Device Enrollment, there are many other management limitations when using Device Enrollment or User Enrollment when it comes to MDM.

 

It is best practice to reprovision a device when someone is done using it. However, you can use scripts to handle all of this. Or you can use the users tab in the inventory record. 

 

As far as getting a tool, that may be a really good idea. JAMF is anything but an IDP tool, a proper IDP tool will do identity management far better than JAMF Pro ever will.

0 Kudos
Reply

mojo21221
Contributor II

Posted on ‎01-11-2023 08:52 AM

We use a similar workflow to Tribruin. Send a lock code -> record said lock code and FV2 key in separate living document for our service desk -> use Filevault2 key to change pw when device is returned if we need to access the data of the device. 

0 Kudos
Reply