I was looking into setting up production sites in our Jamf Cloud instance and giving certain technicians admin rights, just for those sites. I am still new to Jamf so still trying to figure this out. My company has the corporate network and a production network which is completely segregated from each other with the production network not having internet access due to the client media being worked on. We are managing our CORP macs just fine with Jamf, but now want to expand MDM to the production macs. I understand we will need to open up some ports to the production network to communicate to our cloud instance and have APN working. We want to only allow techs from these business units full admin rights to their sites, but no access to other policies, smart groups, that were previously setup. I did setup these production sites on jamf, created user groups with site administration and added a test user to the group which has full rights to these production sites only. It looks good, as if its a new Jamf setup. My concern is do I need to restrict anything else for these users? They will be completely managing their sites, but I don't want them to be able to change anything to the Cloud setup itself. Should I be limiting their rights at all even thought its just for certain sites? Sorry so long. Appreciate any feedback.
Site-limited Groups and/or Accounts, do not have access to most of the functionality that a "Full Jamf Admin" has. There are a few things that are available and you may care about (for example, Network Integrations are available at a Site Admin level), but there's not a lot. It mainly depends on your internal workflow and what you want to allow them to use. The main thing you want to limit is the Jamf Admin utility. This utility cannot be used by multiple admins at the same time, it will cause issues with your database; so we do not lot allow Site Admins to use it.
For example, we specifically do not use Jamf Imaging, so we do not give those permissions and we do not allow Site Admins to create QuickAdd.pkgs as we want them to use a User Approved enrollment method. There's a couple other items that I believe I have removed permissions to, but otherwise, we currently have everything else enabled (full CRUD).
The best advise I can give you is to create "Site Admin" account for yourself for testing. You'll likely need it for testing in the future. (Back in a release of v9.9x, it broke access for all Site Admins that had access to multiple Sites).
You'll likely want to look at what Site Admins can and cannot do as well. I say this because "Sites" are not fully integrated with all features in Jamf Pro. For one, Patch Management doesn't take into account Sites, and more more features are this way as well. Site Admins cannot clone (configurations) into another Site. Site Admins cannot see anything outside of their currently selected Site. So if you have Policies available to all devices at the "none" or "Full Jamf Pro" level, Site Admins will not be able to see them.
There's more, I know, just not thinking of them at the moment. Some things are more trivial that others.
But it mainly depends on how self sufficient you want your Site Admins to be. We do a lot of things on behalf of our Site Admins so they don't have to, to help prevent a large duplication of effort for each Site, especially for Site Admins that are responsible for multiple Sites. To help cope with some of the lacking permissions, I have created "tools" that Site Admins can utilizing without needing to put in a ticket for a Full Admin to do it for them. (i.e. I have a Policy in Self Service available only to Site Admins that assist them with creating Printers, as well as move devices between Sites.)
We have ~100 at the moment, but are working to condense those down... Hoping to get closer to 30 range eventually. Jamf Support would recommend this as well. Half the issues I experience and have to open a support case with Jamf are in some way related to Site functionality. I know I've expressed my dissatisfaction with Sites numerous times here on Jamf Nation, and have created and upvoted numerous Feature Requests that related to Site features and functionality.
TL/DR: Site functionality can leave a lot to be desired.
Thanks for the response @MLBZ521 . I wish there was a way to give this group their own environment in lieu of building an on prem server. My concern is we will have too many admins who will have access to existing policies and configurations and modifying stuff they should not be. There will be too many admins that require full access and nobody with enough authority to manage rights. This is why I was testing the site admin option but not sure if it will work.