Questions on Jamf local accounts

MerrillM
New Contributor

Our security team wanted to know what these two local accounts that are added to every macbook when its enrolled into jamf.  Does anyone know what each of them are used for and what access they have?
Is it related to Jamf MDM or Jamf Connect?

jamf-management    
     /private/var/jamf-managemen

 

svc-securityscans-mac-jamf
 /Users/svc-securityscans-mac-jamf

    

5 REPLIES 5

Tribruin
Valued Contributor II

The first account looks like it might be set in your User-initiated enrollment settings as the Jamf Management account. Maybe someone set that up when your Jamf instance was setup. The management account was used in the past to support Jamf Remote, but has been effectively useless for a few years now, until Jamf Pro 10.49. With 10.49, the management account has been repurposed as LAPS account with a rotating password. 

Not sure about the svc account. That is not created by Jamf by default. (Unless it is related to Jamf Protect.) Check your policies and see if any policy is creating that account. It seems strange that it is creating a user directory in the /Users folder. Most service accounts use /private/var. 

junjishimazaki
Valued Contributor

Quite honestly, you should be asking whoever is administrating your Jamf instance asking that question. Not here. It's your organization so that is your jamf admin to answer that question. 

I agree but some of the admins that created or setup Jamf is no longer with the company.  I jsut wanted to know if these are common local accounts created by jamf connect or jamf pro itself?  

junjishimazaki
Valued Contributor

Well, we can only speculate since we have no idea how your jamf instance was setup, but the first one as Tribruin mentioned could be from the user-initiated enrollment. The second was looks like it was created by policy. Which is kind of strange, why have 2 local accounts. As to what they are used for I'm assuming for local admin stuff that the typical user can not do.

AJPinto
Honored Contributor III

The 1st one looks like JAMFs Management account. This account is created when a device is enrolled using the web portal. I dont think the Management account is needed when you use a prestage to enroll as JAMF gets all of its tokens from Automated Device Enrollment.

 

The second account looks like something you guys are doing. This is not a format that JAMF or Apple uses, SVC is very Windows "domainy".

 

  • Check with your JAMF Admin, and let them handle everything below if they dont know off the top of their head.
  • Check your prestage to see what accounts is creates.
  • Check any policies you have that would create accounts. 
    • Keep in mind scripts can create accounts with dhcl
  • Check your security tools as many of them make their own accounts using dhcl when the application is installed