I want your input on our current provisioning workflow, cuz I think it needs to be adjusted somehow
Through prestage enrollment, we create our managed administrator account and choose the type of local user account as "Admin" .. the end-user account gets a secure token but not our managed administrator's one cuz we don't login with it as a first account. We use a script that the end user has to run from Self Service to grant the secure token to our managed administrator account .
What do you think? is there something we can do to skip running that script from self service and grant a securetoken to our managed administrator account?
Any tips are very appreciated
Each org has its own workflow and reason for setting up a Mac with a local admin account. But, in my opinion, I think it's a good idea to have an admin account. Just like in Windows, you always need a local admin account in case you need to perform a task on that machine without the need of the user's account.
I dont worry about having the local admin account be securetoken enabled. As long as the Recovery Key is escrowed to Jamf, there's a way to log in to the machine. Are you allowing your users to remain as Admin's on the device, or are you temporarily promoting them to admin when they run your policy to grant a securetoken to your local admin account? I previously was doing this, but felt it was no longer needed since we are escrowing the recovery key to Jamf Pro.
@junjishimazaki I totally respect that each company has its own workflow but I still don't see the real need of that account.
Do you rotate the password of that local admin account? if yes then how?
@Jason33 their accounts are already admin ! I know from security perspective maybe it's better to keep them standard and use a tool like privileges but yeah not sure if that will be so annoying for them.
what's your experience about that? do you have any issues by having their accounts standard?
User education and trust may be the biggest factors on whether users have standard or administrator accounts, in my opinion.
In a K-12 school, students will always have standard accounts, so a managed admin account is a given. As for staff, there is a wide range on their knowledge of technology. We grant requests for admin accounts on a case by case basis, but a majority are standard users. User credentials are also not available to us, so an admin account is beneficial when diagnosing issues as well.
I am still learning Mac administrating. This may be due to inexperience, but I don't see the necessity of having the user grant a secure token for the managed admin when the user is also an admin. Does it cause issues when configuring the system as the managed admin?