Mitigations for Local Administrator Rights

New Contributor III

We've started the process of raining in local administrator rights on our Mac fleet, wherever possible.

So far we've opened up the Energy Saver, Printers & Scanners and Time Machine panes in System Preferences via an initial setup script that we deploy at enrollment time, so that standard users can set up printers whilst working from home etc.

I'm aware of tools such as MakeMeAnAdmin, but my question is what other steps have you taken to mitigate the need for admin rights using Self Service (or other tools) within your Mac estate?


Contributor II

In a school environment, we have removed almost all rights, and make the users do everything through Self-Service.  We use PaperCut to provision the appropriate printers, but I can't think of anything else that users need to do, that requires Admin rights.  What specific tasks are you having trouble with?

Nothing really in particular, I just wanted to invoke some discussion just in case there is something I have missed. I'm in the process of working through some Jamf-produced reports which should tell me when folks have used their local admin rights and what they were used for.

Our Date/Time settings are configured via a configuration profile and so I need to overcome the issues raised here

Other than Printers & Scanners, Time Machine, Desktop & Screensaver and Energy Saver which we've mostly opened up anyway, I need to think about Homebrew and MacPorts which rely on an administrator doing the initial setup I believe.


Definitely more straight-forward here, in the school.  We don't allow such powerful products on the devices.  That being said, could you make a Composer package for them (I know - totally defeats the purpose of using homebrew)?  That way, you could use Self Service (which installs as root).