Help

Make Me Admin (User/Device Based) and alternative "Privileged Access Management" are people using?

GetCart3r
New Contributor III

Friday

I've had MMA setup for a few years now and it mostly works but it's been devices based and I've never had it working based on device/user. For example we have a lab of Macs and we only want MMA available for a particular faculty member and not an option for students. If I scope it to a user it never shows up. We have to scope it based on device but then it's open for all users of that device to have access to using MMA.

Maybe it's a setting I have but scoping to a user never works. 

 

As for 3rd party, there're apps out there but many are pretty pricey. We need something that's not crazy pricey that can replace MMA and be controlled through JAMF or a cloud service or server.

6 REPLIES 6

GetCart3r
New Contributor III

Friday

Ok wow just after posting I came across https://www.jamf.com/blog/privilege-elevation-macos-security

This maybe what we need and something to test.

0 Kudos

Ashok_A
Contributor
In response to GetCart3r

Friday

@GetCart3r  - Nice find with the Jamf blog! 👏

By the way, have you had a chance to try out SAP’s Privileges app? It might be worth checking out as an alternative. It’s open-source and designed specifically for scenarios like yours, where you need to give admin rights temporarily without compromising security for all users on the device.

Here’s the link if you want to take a look: https://github.com/SAP/macOS-enterprise-privileges

Let me know what you think if you try it out! 😊


tender
New Contributor III
In response to Ashok_A

Monday

Definitely check out SAP's Privileges. I have been using this on a couple thousand Macs for years. I use PrivilegesDemoter, it includes SAP Privileges. I am testing out using Jamf Connect for admin elevation and Privileges version 2 is being worked on.

tend·er (tĕn′dər) noun: One who tends something.
0 Kudos

Shyamsundar
New Contributor II

Friday

You can scope it to all the devices and limitations with the AD group of only the faculties. This way, the faculties will need to log in to Self Service to view the MMA. They can elevate them to administrators. It will be available on all the machines, only for the users in faculties, and they will need to log in to Self Service to view this. 

 

 

0 Kudos

AJPinto
Honored Contributor III

Friday

Jamf Connect has recently added features to their relatively new make me and admin function. It can now ask for credentials and only grand the admin access if the credentials provided have specific IDP groups. 

 

We use CyberArk EPM to handle elevated permissions and the one off the situations where someone needs to be granted admin access. 

0 Kudos

sdunbar
Contributor

Monday - last edited Monday

We use a script from here (JPDyson's), to grant temporary admin rights to a user (changed to 5 mins).

It is scoped to a computer on request, once per computer, in Self Service.

Not exactly what you are after but might help.

 

0 Kudos