Management Account purpose ??

tcandela
Valued Contributor II

if someone can briefly explain to me the purpose of the 'Management Account' when creating a QuickAdd package and Configuration ? (We already create a local Admin on each mac prior to any enrollment in casper system)

when creating your QuickAdd packages and/or Configuration, what are some of you choosing from the options below?
Hide it or NOT hide it
Allow SSH for management account only

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

The Management account is what the JSS uses when it needs to run policies and escalate privileges to root level to do things like installs. Its basically a requirement to do just about any management on your Macs.
While you can technically just use your existing local administrator account for this instead of creating a new one, its often cited as best practice to create a Casper Suite only management account, and leave your local admin account for other purposes.

As for the options you mention, Hiding it just means it creates the account with a sub 501 UID and makes sure it doesn't show up in the Users & Groups preference pane. Edit: It also places the account in /private/var instead of the standard /Users/ path.
Allow SSH for management account only is a security piece that would prevent any other account on the Mac to be used remotely for remote login (SSH) purposes. The Casper Suite benefits from having SSH access to your Macs using that account. Its used for a variety of different tasks. You can choose to leave that unchecked and then other accounts on the Mac can be added to the remote login list and thus SSH to those Macs.

Hopefully that helps clear things up a little.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

The Management account is what the JSS uses when it needs to run policies and escalate privileges to root level to do things like installs. Its basically a requirement to do just about any management on your Macs.
While you can technically just use your existing local administrator account for this instead of creating a new one, its often cited as best practice to create a Casper Suite only management account, and leave your local admin account for other purposes.

As for the options you mention, Hiding it just means it creates the account with a sub 501 UID and makes sure it doesn't show up in the Users & Groups preference pane. Edit: It also places the account in /private/var instead of the standard /Users/ path.
Allow SSH for management account only is a security piece that would prevent any other account on the Mac to be used remotely for remote login (SSH) purposes. The Casper Suite benefits from having SSH access to your Macs using that account. Its used for a variety of different tasks. You can choose to leave that unchecked and then other accounts on the Mac can be added to the remote login list and thus SSH to those Macs.

Hopefully that helps clear things up a little.

davidacland
Honored Contributor II

In case its of use, our general setup is:

  • Username starting with a _ so it looks like another system account
  • Create if it doesn't exist
  • Hide account (so it is less likely to be tampered with)
  • Ensure SSH is enabled

We don't normally enable "allow SSH for the management account only" as we sometimes want other admins to be able to use it.

We separate the management account from a local admin account thats used by IT support staff. We see the management account as being for casper only.

Once an install is settled and working ok, we like to set a policy to change the management account password (there's an option to randomise it).

tcandela
Valued Contributor II

the management account doesn't have to be already created in the JSS user and groups, does it ? I manage a Site (do not have access to the JSS user and groups to create it in there) and just enter the management account in the Configuration and Quickadd package.

mm2270
Legendary Contributor III

The management account has nothing to do with the Users & groups in your JSS. Its a local account for the Mac that gets created on the Mac and the JSS then stores the information in the computer record, including its password.
I don't use Sites, so my knowledge on them is limited, but I don't think you should have any problem creating a QuickAdd that creates your own management account on any systems the QuickAdd is run on.

tcandela
Valued Contributor II

thanks guys for replying, just wanted to be 100% clear on the concept of the management account, now i am.

MacJunior
Contributor III

guys, i'm thinking to remove the managed administrator account and Jamf management account and have only one admin account "end-user's account" which has a secure token and count on the PRK to reset a password or unlock/decrypt HD.

I would like to get your opinion on that if it's possible.