Managing admin permissions in 2024

Jason33
Contributor III

What apps/scripts/product are you using to manage temporary admin permissions in your environment? I'd love to give Jamf Connect a try, but we're still using on-prem AD for authentication. I'm piloting Privileges, and its going well but my management wants a non-open source solution, even though it can be deployed from the Jamf App catalog. I mention Jamf Connect, and the response is that we're not moving to cloud IDP for the foreseeable future, so no go on that.

6 REPLIES 6

PE2000
Contributor II

take a look at elevate.

AJPinto
Honored Contributor III

We moved to using CyberArk EPM to manage permissions escalations and removed admin access from all users. It was a lot to setup and maintain (thankfully it's a security tool so it's not my problem), but it makes life a lot easier.

 

Jamf Connect is a good tool to replace domain binding for on time account creation. However, it is not really a permissions management tool. You can make an account an admin account with Jamf Connect, but you cannot manage that Admin access (i.e. on demand promotions and demotions).

I think we're going to start looking at CyberArk EPM; I believe the Windows folks are about to begin piloting it. And with Jamf Connect 2.33.0 you can now elevate to admin

Privilege Elevation using Jamf Connect

The Jamf Connect menu bar app allows standard users to initiate a temporary promotion to a local administrator. Upon activation, a timer will appear in the user's menu bar for the duration of their promotion. When the timer ends, the user will be reverted to a standard user. This feature can be added to your Jamf Connect configuration with the Temporary User Promotion (TemporaryUserPromotion) setting manually or via the Jamf Connect Configuration app. For more information, see Privilege Elevation for Local Accounts.

AJPinto
Honored Contributor III

Well Ill bad damned, I'll need to look at the 2.33 patch notes lol. Thanks for that tip.

 

EPM is on macOS is a shadow of its Windows version, as with most tools. You cannot escalate binaries with a pin, or LAN credentials on macOS like you can on Windows. However, you can escalate binaries from developer signature, and path.

Fitzwater
New Contributor II

We moved from Privileges.app to Privilege Management from BeyondTrust. 

https://www.beyondtrust.com/privilege-management

pkleiber
Contributor

We use Admin By Request as we also manage Windows devices in our environment and want one tool for both Mac and Windows: https://www.adminbyrequest.com