MAC OS in corp environemnt and rights management

Bandi
New Contributor

Hello,

I'm just very new to the JAMF MAC OS topic in general and just was wondering, how you guys handle users permissions on MAC OS ? Do you enable root, or via the sudoers file any other options ?

Thanks !

9 REPLIES 9

LovelessinSEA
Contributor II

you're going to find that everyone does it differently. There are going to be a lot of admins that lock machines down and remove admin privileges to their users. Then you'll see an equal part that give users admin rights and some maybe a bastardized version of both, I think that IBM even gives the user a button to push in the self-service portal that gives users temporary admin privileges, I suspect they monitor the usage of that closely. We use lots of config profiles to lock down settings that we don't want users changing, but what works for some may not work for others. i think it really is dependent on the type of environment you're supporting, medical, professional, or Higher ed may all require different security measures based on info sec's policies.

Bandi
New Contributor

Thank you, I appreciate your input! My problem is that they have full admin rights hence they can easily remove a particular application by running sudo (the app is not on App Store) so don't know if there is any mechanism to control it even when they have full admin rights ….

Look
Valued Contributor III

Full admin is full admin, it gets pretty hard to control things at that point.
However JAMF can easily monitor for the presence of applications on a machine and then put them back automatically if removed, or let someone know so words can be had if that is your preferred method.
Depending on how many users your talking the easiest solution might be to simply monitor the app and revoke admin rights for people who abuse what they have been given.

Gascolator
New Contributor III

We lock our machines down and then enable some specific things that are helpful for users. As an example, I add them to the print admin group so they can install a home printer if they'd like. They can install software from Self Service, or if they have an app they own individually, they can install that from the App Store. I don't block software that installs to the user root Applications folder so they can still install things like Spotify, etc. They just can't install anything that requires admin rights. If they need an application that isn't in Self Service, they have to request it.

Like was mentioned above, ever situation is unique and you'll get answers that are all over the map. Ultimately you'll have to balance what you're comfortable with from a security standpoint with what the culture of your environment will tolerate.

tlarkin
Honored Contributor

All macOS users are local admins, all can sudo and we don't have really any issues with. My last like 4 jobs have been this way.

Look
Valued Contributor III

@tlarkin that depends a lot on your users though... We had students and staff, students automatically got nothing except print management rights, but most staff got full admin. On top of this we had EA's and monitored smart groups to ensure required software was present and spoke to anyone systematically abusing their rights.
Likewise we actually had very few problems in general, basically those who know how to leverage the rights also know it's monitored and know the consequences of mucking around.
The fact macOS explicity asks for more rights when needed does tend to make people more wary of things, I wonder if the move to TouchID will adversely affect this as you often no longer have to enter your password and it feels a lot less serious when your elevating rights!

tlarkin
Honored Contributor

I worked for a school district, Mine Craft is a self contained java application that can run from a user's home directory. Students will find a way to be kids always. I went toward classroom management. if you misbehaved on your laptop at school, the teacher took it. We encouraged the teachers to take charge of their classrooms and take away laptops. Also, repeat offenders lost all privileges, meaning that if a computer is required to do the work and you lost your privilege to use a computer, well I guess you cannot do the work.

Look
Valued Contributor III

Sounds like you have one to one devices, ours was a shared evironment, students with admin rights just doesn't work in that scenario, if they were breaking or misusing their own device I would be less concerned, but we needed to ensure the next student could use it as well, so no admin rights for them!

tlarkin
Honored Contributor

It was one to one yup! For corp environments though, I have always given users admin rights