Help

Mass action permissions

Go to solution
BestSamson
New Contributor II

Posted on ‎10-21-2024 10:38 AM

Is there an option to remove a user's ability to perform mass actions in jamf Pro? 

We recently conducted a risk assessment, and we discovered that anyone can perform a mass action as long as they have permission to use that action on an individual device. 

Is there a permission or another tool you have used that would remove the jamf users ability to do something like wipe all devices but allow to still wipe one device at a time?

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
howie_isaacks
Valued Contributor II

Posted on ‎10-21-2024 11:58 AM

Looking through the permissions settings for Jamf Pro users I don't see a way to stop people from performing mass actions. My advice would be to figure out who needs to be able to perform actions like remote wipes, remote locks, deleting computers, etc. and create groups that can perform those tasks. Assign your users to the groups based on the permissions you want them to have. The change log will show who performed most actions. The one thing that it won't show is who performed and MDM command like a remote lock or remote wipe. I have a feature request for logging that activity.

https://ideas.jamf.com/ideas/JPRO-I-672

Hopefully Jamf will listen and implement this feature. It's safer to deny permissions than to give them so choose wisely who can perform certain tasks in Jamf Pro.

View solution in original post

Reply
2 REPLIES 2

Go to solution
jamiesmithJAX
New Contributor III

Posted on ‎10-21-2024 11:56 AM

Under User Accounts and Groups click on any user or group and you should see the management commands listed and you can disable them there.

0 Kudos
Reply

Go to solution
howie_isaacks
Valued Contributor II

Posted on ‎10-21-2024 11:58 AM

Looking through the permissions settings for Jamf Pro users I don't see a way to stop people from performing mass actions. My advice would be to figure out who needs to be able to perform actions like remote wipes, remote locks, deleting computers, etc. and create groups that can perform those tasks. Assign your users to the groups based on the permissions you want them to have. The change log will show who performed most actions. The one thing that it won't show is who performed and MDM command like a remote lock or remote wipe. I have a feature request for logging that activity.

https://ideas.jamf.com/ideas/JPRO-I-672

Hopefully Jamf will listen and implement this feature. It's safer to deny permissions than to give them so choose wisely who can perform certain tasks in Jamf Pro.

Reply