Ok, I've deployed a package to my Mac desktop. I setup the package to run via Self Service. When I click on my Self Service icon and then the package to install it I am prompted to enter the Local Admin password.
First, I am logged on as an Admin and second, in the JSS web portal under "computer management framework settingsself service" the follow were set.
Users are not required to log in
End users do not need to be authenticate locally in stall self service items
If both of these settings were set and I am a local Admin why would I still be prompted to enter the local admin password? We need to be able to install software with end user interaction is what we're after.
We've run into the same issue at times and it's because the machine is either not enrolled properly in JSS, or there is a problem with the management password in JSS. We found that if we update the management account password for each machine (either in the JSS machine by machine or via policy) that Self Service works fine without asking for admin creds. We were never able to figure out why the management password was not correct and why it needed to be updated in some cases.
I would agree that the most likely cause for this, especially if you're seeing it right after opening Self Service, is that the management account on the Mac and what the JSS has stored as the management account (& password) for that Mac don't match up. Any policy tries to use that account credentials to escalate its privileges in the background, and if it doesn't work, you'll get that prompt.
Locate the computer record in Inventory, and in the Details section > Computer Information, click the little (...) icon in the upper right. You 'll see fields called SSH Username and 2 for Password. Make sure that information is correct. You'll have to try retyping in the password since it will be obscured in the JSS.
You can also just re-enroll the device with a QuickAdd or by going to your enroll page from the JSS if that's turned on.
Changing the password worked, I was able to install software and never had to enter a password. But this has to be set globally someplace right? We've already deployed lots of Mac's and don't want to touch each machine. Is there a way to re-set this SSH password globally?
Also, I searched the JSS web portal for "enroll" and it brought up the 2 "framework settings" but I don't see how to re-enroll all computers.
No, under the Change Management Account Password, click the Change To button and enter a new password there. Thing is, I wonder if this will actually work properly if the management account already has a bad password. I think that function is intended to be used if the password matches up and you just want to change it across a lot of your Macs at once. I'll be curious to see if it actually fixes the issue you're having.