Jamf Nation Community

CavCurator · a week ago

Hi all,

I recently took over as the Jamf admin for my institution, and am trying to make sense of some settings that were enabled prior.

In regards to this setting in Settings > Global > User-initiated enrollment > Computers:
We also have a managed local administrator account created via PreStage. Would this setting enable SSH for both the user-initiated and PreStage managed local administrator accounts, or just the user-initiated only?

I tried to find information about this in other Jamf Nation posts but couldn't seem to find anything - please let me know if I missed any helpful posts.

I also tried looking at System Settings > General > Sharing > Remote Login while logged into each of the managed local accounts and did not see either of them listed as allowed users, though I understand this may not be visible by design.

Thanks in advance!

patrickj · a week ago

That setting should apply to both. Both are managed local administrator accounts and that check box is listed underneath Create managed local administrator account. However, there are some minor differences. It is also important to note (as indicated in https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/User-Initiated_Enrollment_Se...) not to use the same username for the PreStage enrollment as you do the User-initiated enrollment setting.

Key Differences -

User-initiated enrollment - managed local administrator account:

Password Managed by the Jamf Management Framework
If using LAPS this would be called "Jamf management framework LAPS" according to Jamf.

PreStage enrollment - managed local administrator account:

Password Managed by an MDM command.
If using LAPS this would be called "MDM LAPS" according to Jamf.

View solution in original post

AJPinto · a week ago

As the security world rushes to wholesale 0-trust, I would wager less and less organizations are allowing peer to peer communication at the workstation level. Meaning, not too many admins are talking about it anymore so you don't see much on the forums. Generally speaking SSH is a pretty easy security gap to plug by just disabling it.

Either way, Jamf is just using some scripting to enable SSH and who can use it when you check that box. You should be able to check its configuration by looking at /etc/ssh/sshd_config. If I remember correctly, access was only granted to the Jamf service account's created when the device enrolled, and not granted to any accounts created by policies or manually but its been a few years since SSH would have worked in my environment.