Posted on 04-02-2024 10:51 AM
What apps/scripts/product are you using to manage temporary admin permissions in your environment? I'd love to give Jamf Connect a try, but we're still using on-prem AD for authentication. I'm piloting Privileges, and its going well but my management wants a non-open source solution, even though it can be deployed from the Jamf App catalog. I mention Jamf Connect, and the response is that we're not moving to cloud IDP for the foreseeable future, so no go on that.
Posted on 04-02-2024 10:58 AM
take a look at elevate.
Posted on 04-02-2024 11:38 AM
We moved to using CyberArk EPM to manage permissions escalations and removed admin access from all users. It was a lot to setup and maintain (thankfully it's a security tool so it's not my problem), but it makes life a lot easier.
Jamf Connect is a good tool to replace domain binding for on time account creation. However, it is not really a permissions management tool. You can make an account an admin account with Jamf Connect, but you cannot manage that Admin access (i.e. on demand promotions and demotions).
Posted on 04-02-2024 04:02 PM
I think we're going to start looking at CyberArk EPM; I believe the Windows folks are about to begin piloting it. And with Jamf Connect 2.33.0 you can now elevate to admin
Privilege Elevation using Jamf Connect
The Jamf Connect menu bar app allows standard users to initiate a temporary promotion to a local administrator. Upon activation, a timer will appear in the user's menu bar for the duration of their promotion. When the timer ends, the user will be reverted to a standard user. This feature can be added to your Jamf Connect configuration with the Temporary User Promotion (TemporaryUserPromotion) setting manually or via the Jamf Connect Configuration app. For more information, see Privilege Elevation for Local Accounts.
Posted on 04-03-2024 06:12 AM
Well Ill bad damned, I'll need to look at the 2.33 patch notes lol. Thanks for that tip.
EPM is on macOS is a shadow of its Windows version, as with most tools. You cannot escalate binaries with a pin, or LAN credentials on macOS like you can on Windows. However, you can escalate binaries from developer signature, and path.
Posted on 04-03-2024 07:09 AM
We moved from Privileges.app to Privilege Management from BeyondTrust.
Posted on 04-03-2024 07:09 AM
We use Admin By Request as we also manage Windows devices in our environment and want one tool for both Mac and Windows: https://www.adminbyrequest.com