Management account strategy

New Contributor III

Hi was wondering what is best practice for setting up a management account.

Currently we use the one management account with a password IT knows and that same account is also used by support staff (and a few non IT staff if there’s no IT on-site in certain offices. They would assist our support guys if needed) Also to note the mobile accounts we set up for users are set to admin accounts however we haven’t generally had any problems with that.

Anyway recently our manamagent account password was compromised so we need a better strategy. Is it best practice to keep the management account separate with a complex password and hidden. Then have another local account dedicated to support? I suppose could even set a different password for the support accounts in each office just in case that becomes compromised.

Any help would be appreciated.



New Contributor II

Hi Simon,

maybe not "the" solution but a little "inspiration".
For a couple of the environments we (help to) manage, we calculate the password for the local administrator.
for example:
asset tag / computername / ... something contains a number, that number is grabbed in a script and a calculation is made with it. That way, each computer has his own individual management password. For one environment, the date is one of the values used in the calculation.

Second part of the story is a webservice where support staff can ask the management password for a certain device. Using the asset tag / computername / ... the reverse calculation can be made and support staff can ask for the password. Logging is performed on that web service, so we have a overview / keep record of who asked for the password of which machine at witch time.
There is also the possibility to include some rights or access privileges on the webservice part. support staff from location A isn't allowed to ask passwords for computers registered in location B for example.

The date field in the calculation, is used to ensure that the passwords are changed daily.

New Contributor III

Hi Simon,
I've found that its best to keep the management account and a local admin account completely separate. It helps to think of the management account as the Jamf only account. Creating it as a hidden account with a 16 character randomized password will help avoid any compromises and offer you a back door in the event that the local admin gets removed or altered.

Contributor III

In my current environment I've found the best way is to deploy the management account with a randomized strong password so only JAMF knows it.

Then we deploy a local admin account for support teams, as well as a local standard user account. Which we keep the passwords rolling every 90 days. In terms of more general device security we also put an EFI password on our devices.

New Contributor III

Cheers for the responses! - given me a better idea how to tackle this.
Will certainly separate the management account and one used for support.

Probably have to do this going forward adding the local account to the prestage.
Was thinking of adding the account via policy however there would be no easy way to enable for FileVault.

Contributor II

Just chiming in with what we do, and with a reference to High Sierra, FileVault and Secure Token...

Management account: That's created with a random password that only Jamf knows. Used for Jamf Remote only.

Local admin account: Created during the DEP prestage, used for IT support. We bind to AD and use LAPS (with macOSLAPS on the Macs) to randomise the password for this account, then our techs can look it up using the LAPS UI tool. Also, because we bind, our techs can use their own accounts to elevate and gain local admin access - which we prefer (but only works on campus or via VPN - local admin is fallback).

If you don't bind, there is a similar project called LAPSforMac that randomises and stores the local admin account password as an Extension Attribute in your Jamf Pro Server.

A word about FileVault: For MacBooks, we have to enable FileVault for the intended user. We do this by having that person be the first to log in during the Setup Assistant. We bind to AD during the pre-stage so they can log in with their AD account. The main inconvenience is that after they log in for the first time, they need to wait 15 mins or so for the Mac to provision itself. This leaves the Mac in a state where only that user can unlock FileVault. If IT needs access, we can use the recovery key (escrowed in Jamf) and then the local admin account.

Contributor II

I'm not yet into my provisioning state - my issue is that our local admin account is named based on the asset tag of the system.

Would it even be possible to use that naming convention?

The systems are tagged after we receive them - would it be a matter of setting the asset tag within Jamf for the device listing?

Contributor II

i'm thinking to remove the managed administrator account and Jamf management account and have only one admin account "end-user's account" which has a secure token and count on the PRK escrowed to Jamf to reset a password or unlock/decrypt HD.

I would like to get your opinion on that if it's possible, any caveats?