Self Service User Profile requires local admin

nixonc85
New Contributor III

Hoping someone can shed some light on what i might be doing wrong here. I am trying to enable self service configuration profiles so that users can install certain user level profiles themselves. My user is a domain user who has logged in to self service, however when I attempt to install the profile it says 'Local administrator credentials required'. I understand this is expected behaviour for a local account, but my user is a mobile AD account.

Any thoughts?

3 REPLIES 3

mm2270
Legendary Contributor II

It should not work that way. If it did, Self Service would be fairly useless in environments where clients don't have local admin rights.
Check to see if the Casper service account (management account) on the Mac has the correct password and that the JSS knows what that password is. Self Service is one of the locations that uses that service account and if the password stored for the computer in the JSS is different than what's actually on the Mac, it has no choice but to ask for admin credentials, since it can't elevate its privileges to run the policy.

If you have SSH enabled on the Mac in question, you can try ssh'ing into it by specifying that management account and entering the password when prompted. If it doesn't let you in with what you think the password should be, then you may have a mismatch.
You can push a policy to the Mac to reset the management account password to something else, with Casper remote, or just a policy scoped to it.

nixonc85
New Contributor III

Management account is OK - I can run other policies via Self Service just not the Configuration Profiles. We don't have APNs working in our environment and usually just package up mobileconfigs and push them out via a policy. I wonder if it is the fact we are not fully setup for MDM which could be the reason??

mm2270
Legendary Contributor II

OK, I didn't thoroughly read what you wrote before. You're trying to use the built in JSS/Self Service capability to install a Config profile? If so, then yeah, if you're not actually fully set up to use MDM, that could be the cause. If this was a pkg that had a postinstall script to install it using the 'profiles' command, that wouldn't be an issue, but using Casper's built in function to install a profile may require being set up to do MDM/APNs.