Help

Managing admin permissions in 2024

Jason33
Contributor III

a month ago

What apps/scripts/product are you using to manage temporary admin permissions in your environment? I'd love to give Jamf Connect a try, but we're still using on-prem AD for authentication. I'm piloting Privileges, and its going well but my management wants a non-open source solution, even though it can be deployed from the Jamf App catalog. I mention Jamf Connect, and the response is that we're not moving to cloud IDP for the foreseeable future, so no go on that.

0 Kudos
6 REPLIES 6

PE2000
Contributor

a month ago

take a look at elevate.

AJPinto
Honored Contributor II

a month ago

We moved to using CyberArk EPM to manage permissions escalations and removed admin access from all users. It was a lot to setup and maintain (thankfully it's a security tool so it's not my problem), but it makes life a lot easier.

 

Jamf Connect is a good tool to replace domain binding for on time account creation. However, it is not really a permissions management tool. You can make an account an admin account with Jamf Connect, but you cannot manage that Admin access (i.e. on demand promotions and demotions).

Jason33
Contributor III
In response to AJPinto

a month ago

I think we're going to start looking at CyberArk EPM; I believe the Windows folks are about to begin piloting it. And with Jamf Connect 2.33.0 you can now elevate to admin

Privilege Elevation using Jamf Connect

The Jamf Connect menu bar app allows standard users to initiate a temporary promotion to a local administrator. Upon activation, a timer will appear in the user's menu bar for the duration of their promotion. When the timer ends, the user will be reverted to a standard user. This feature can be added to your Jamf Connect configuration with the Temporary User Promotion (TemporaryUserPromotion) setting manually or via the Jamf Connect Configuration app. For more information, see Privilege Elevation for Local Accounts.

0 Kudos

AJPinto
Honored Contributor II
In response to Jason33

4 weeks ago

Well Ill bad damned, I'll need to look at the 2.33 patch notes lol. Thanks for that tip.

 

EPM is on macOS is a shadow of its Windows version, as with most tools. You cannot escalate binaries with a pin, or LAN credentials on macOS like you can on Windows. However, you can escalate binaries from developer signature, and path.

0 Kudos

Fitzwater
New Contributor

4 weeks ago

We moved from Privileges.app to Privilege Management from BeyondTrust. 

https://www.beyondtrust.com/privilege-management

0 Kudos

pkleiber
Contributor

4 weeks ago

We use Admin By Request as we also manage Windows devices in our environment and want one tool for both Mac and Windows: https://www.adminbyrequest.com

0 Kudos