Posted on 10-04-2019 05:08 AM
Our Mac users are admins. But my feeling is that actually very few are using it.
So my question is, if it Is possible somehow to see in logs etc, when a user have been prompted for admin password when they are logged in
If there are users that have not been using their admin preveliges it for long time, why then not just block admin access for those, to minimize risk on clients
Posted on 10-04-2019 07:42 AM
Would it not be simpler to set all users to standard and use a script in Self Service to promote them to admin temporarily when the access is needed? If you've got a large population of users who do not need constant admin permissions, this seems more secure.
Posted on 10-04-2019 08:09 AM
Yes but this the reqq
Posted on 10-04-2019 09:06 AM
Sorry - then there Will have to be a lot of decision made and lots of talk, communications to users - which I would like not to start with until I know how big the need is.
Posted on 10-06-2019 02:41 PM
You could use a loginhook policy to test if that user is in the admin group and then log it if that is what your Org is requiring you to do