Is it realistic to expect all devices are have the same management account?
We're just setting up our JSS, imaging workflow and Policies and i've found 4 ways where the Management account can vary:
-QuickAdd - creates a specified management account
-Remote or Local enrolment with Recon - requires an existing account
-User Initiated Enrolment - presumably uses a JAMF-defined account
-Apples DEP - No idea.
Knowing I likely have no control over the DEP and User Initiated Enrolment accounts, I feel Recon and QuickAdd should follow their lead. This, of course, leads me to the introduction question - Is it realistic to expect all devices are have the same management account?
We utilize enrollment through the imaging process, QuickAdd package for when devices need re-enrolled and DEP in the event that a device goes rogue and all three of them utilize the same management account. You have complete control over the whole process and which account gets created with each type of enrollment. Most companies will create the management account with a super complex password to prevent being guessed and then setup an admin account on the device via policy. Then, if you find that a user figured out how to delete the admin account, you always have the management account as a backup.
Most places seem to use a single management account. We use two. One for students and one for everyone else. This way, if some student actually manages to get the management password (Hasn't happened in 8 years) then they won't have access to faculty units. So, it's just CYA for me.
P.S. In general your management and direct access admin accounts should in fact be two separate accounts. This makes it super simple to change the standard admin password on units that users have compromises. In addition, many institutions make their management account "hidden" as well.