Jamf Nation Community

We utilize enrollment through the imaging process, QuickAdd package for when devices need re-enrolled and DEP in the event that a device goes rogue and all three of them utilize the same management account. You have complete control over the whole process and which account gets created with each type of enrollment. Most companies will create the management account with a super complex password to prevent being guessed and then setup an admin account on the device via policy. Then, if you find that a user figured out how to delete the admin account, you always have the management account as a backup.

Most places seem to use a single management account. We use two. One for students and one for everyone else. This way, if some student actually manages to get the management password (Hasn't happened in 8 years) then they won't have access to faculty units. So, it's just CYA for me.

P.S. In general your management and direct access admin accounts should in fact be two separate accounts. This makes it super simple to change the standard admin password on units that users have compromises. In addition, many institutions make their management account "hidden" as well.

+1 to the "have a visible local admin account and a hidden Casper management" account approach. I recommend this in all of my client environments, although not all follow this recommendation.