Jamf Nation Community

Chris_Holm · ‎03-27-2014

I am trying to get management from the JSS that controls access to certain system preferences as well as Utilities applications. I'm running into an issue though where config profiles or managed prefs restrict all accounts or none of the local accounts on the machine. When I run a profile on computer level it also restricts the admin account. When I run it on user level it restricts none of the accounts (and as I understand it this was meant for AD accounts anyway). We do not have AD currently managing accounts and will not for awhile. We only recently started using JAMF and are still setting up pieces to replace current SOPs. This happens in both config profiles on 10.7 - 10.9 and managed prefs for 10.6 systems. I need the admin account to not be affected by the management but don't see a way to do this within the setup on the JSS and I'm not too script savvy just yet. I'm guessing that maybe there is a way to do this through scripts but haven't found it yet. Is it possible profiles or prefs won't affect hidden accounts? Or maybe to just delete the profile on the admin account after through a script?
Any help is appreciated. Thanks
-Chris

krichterjr · ‎03-27-2014

One thing you can try is under the Configuration Profiles --> Login Window --> Options you can check the box "Computer administrators may refresh or disable management".

What this does is allows administrators to disable all management on the computer when they login. I haven't used this option in a couple of years but worked for me in the past. Something you may want to try.

mm2270 · ‎03-27-2014

I think this is, unfortunately, expected behavior, in that Computer Level restrictions are going to block all accounts on the Mac, local or directory based. If you're not able to use the User level restrictions, the only thing I can recommend is, with an admin level account its actually fairly trivial to get around the restrictions if you know where to look. This is true for when using MCX, but I'm not so sure how easy it is when using Configuration Profiles.

So the admin account could simply do some quick Terminal commands to get full access to System Preferences, or you can create a script saved as a Login Item for that account that would do it each time you log into it. The person logging into that admin account would need to supply the account credentials to have the script work, but it should be possible.

That said, someone may have a better way to exclude the local account from these restrictions that I'm just not aware of.

jamfqintl · ‎03-28-2014

@krichterjr][/url - The "Computer administrators may refresh or disable management" option does seem to work so far on 10.7-10.9. Going to try on a 10.6 machine next. Thanks for the suggestion, forgot about that option.

@mm2270][/url - I hope to find an option like you said to avoid needing to logout and logging in as admin. I may also look into modifying and exporting a preference .plist just for the standard users.

FYI, this is the company login I use instead of mine sometimes. Just realized which I was in after submiting post. -Chris

Nix4Life · ‎03-28-2014

Chris,mm2270
not at a computer so I cant try it, maybe extreme,but what about editing /etc/sudoers ( visudo) and adding the user with ALL across the board?

mm2270 · ‎03-28-2014

@LSinNY It has nothing to do with whether an account is in the sudoers file or what settings they have. Managed Preferences and Configuration Profiles override access to items like System Preference panes when they are set as they are from Casper Suite or from an OS X server, etc.

I know exactly how to get around the restrictions, either temporarily or permanently, but I'm not willing to put it in writing here on a public forum. (Too many school kids with Google-fu skills looking to bypass their schools restrictions) One method doesn't even require admin rights to do it!

Jamf Nation Community

Managing local accounts applications and system preferences, no AD or OD