Secure Token for managed administrator account

Contributor II

Hey all, 


I want your input on our current provisioning workflow, cuz I think it needs to be adjusted somehow 


Through prestage enrollment, we create our managed administrator account and choose the type of local user account as "Admin" .. the end-user account gets a secure token but not our managed administrator's one cuz we don't login with it as a first account. We use a script that the end user has to run from Self Service to grant the secure token to our managed administrator account .


What do you think? is there something we can do to skip running that script from self service and grant a securetoken to our managed administrator account?


Any tips are very appreciated


Contributor II

Also why would you guys create a managed administrator account? for us simply to reset the user's password in case they forget it but definitely we can do that using FV recovery key escrowed to MDM so any other reasons pushing you  to create that managed account? 


Valued Contributor

Each org has its own workflow and reason for setting up a Mac with a local admin account. But, in my opinion, I think it's a good idea to have an admin account. Just like in Windows, you always need a local admin account in case you need to perform a task on that machine without the need of the user's account. 

Contributor III

I dont worry about having the local admin account be securetoken enabled.  As long as the Recovery Key is escrowed to Jamf, there's a way to log in to the machine.  Are you allowing your users to remain as Admin's on the device, or are you temporarily promoting them to admin when they run your policy to grant a securetoken to your local admin account?  I previously was doing this, but felt it was no longer needed since we are escrowing the recovery key to Jamf Pro.

Contributor II

@junjishimazaki I totally respect that each company has its own workflow but I still don't see the real need of that account.

Do you rotate the password of that local admin account? if yes then how?

@Jason33 their accounts are already admin ! I know from security perspective maybe it's better to keep them standard and use a tool like privileges  but yeah not sure if that will be so annoying for them. 

what's your experience about that? do you have any issues by having their accounts standard? 


Contributor III

User education and trust may be the biggest factors on whether users have standard or administrator accounts, in my opinion.

In a K-12 school, students will always have standard accounts, so a managed admin account is a given. As for staff, there is a wide range on their knowledge of technology. We grant requests for admin accounts on a case by case basis, but a majority are standard users. User credentials are also not available to us, so an admin account is beneficial when diagnosing issues as well.

I am still learning Mac administrating. This may be due to inexperience, but I don't see the necessity of having the user grant a secure token for the managed admin when the user is also an admin. Does it cause issues when configuring the system as the managed admin?