Remove users ability to change management account via policy

chelm
New Contributor III

Is there a permission box I can click or a way to remove "Jamf Pro User Accounts & Groups" ability to change the management accounts password by implementing a policy?

This seems like a fairly common thing. I want them to be able to create their own policies but I need to stop them from changing the management accounts password. Techs keep changing the management account password and treating it like a local admin account.

1 REPLY 1

mm2270
Legendary Contributor III

Hi there. Unfortunately, it doesn't look like there's a way to control what you're referring to. The privileges for Jamf Pro accounts are not so granular that it lets you manage what payloads in a policy are available to someone. If they have the ability to create and edit policies then they have the ability to add the Management Accounts payload into a policy and subsequently change that password.
The only way I can see to stop this from a technical standpoint would be to revoke privileges to create policies. Perhaps you need to get upper management approval for a 3 strike policy where if they violate the rules set down 3 times, they get policy creation privileges revoked.

For the record, you can see who created a policy under the History button for the policy, assuming they aren't going back in and deleting the policy after it runs.