- Jamf Nation Community
- Products
- Jamf Pro
- Re: User Admin Access?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-24-2014 04:54 PM
I was wondering if anyone has had any experience in an environment where end users have administrator privileges? We are currently throwing around the idea of making users admins and restricting a majority of software and apps, like terminal and Torrent applications.
We currently don't have a dedicated Casper person to update and manage packages and it also would be a big perception booster for IT. Also, a major portion (read: all) of our end users aren't very savy with the computers - which is another reason we are really considering this.
Can anyone think of a reason to not allow end users admin access if we add a blacklist of applications and have smart groups that show us if anything changes? I would love to hear opinions and criticisms!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-24-2014 07:29 PM
@ndudley, have a look at the following thread for some discussion on the topic.
https://jamfnation.jamfsoftware.com/discussion.html?id=9329
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-24-2014 05:32 PM
There are always applications you'll miss with a blacklist. No one could possibly make an exhaustive list of all applications that could do harm to the computer or your network, not entirely.
With admin privileges, they could turn SSH off, or change the password to your management account, or delete the account entirely, or force unbind the machine (if using a directory service). You can smart group it to flag any of those scenarios in your JSS, but then you're kind of at a loss to re-enforce your IT policies without getting your hands on the machine physically. The fallout in some extreme cases (i.e., a disgruntled employee) may not be worth the risk.
But if you can live with these, go crazy. Sounds nice. :P
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-24-2014 07:29 PM
@ndudley, have a look at the following thread for some discussion on the topic.
https://jamfnation.jamfsoftware.com/discussion.html?id=9329
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2014 04:42 AM
If you want to just do specific users on specific computers, I'm using this as part of an extension attribute.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2014 10:28 AM
@mpermann Thanks so much! I read that article when it first appeared, just completely forgot about it!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-04-2014 06:18 AM
This all depends on your environment and user responsibility. Our faculty here are local admins and the students are not. There's always a back and forth. However, at least with Casper and profiles, it's not that bad. Once a user starts really breaking something you can come along and clean up after them... while making sure it doesn't happen again on anything else!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-04-2014 07:25 AM
I've been looking at using the "Make Me Admin" option from @Andrina from her JNUC2013 presentation.
She's posted it all here: https://github.com/andrina/JNUC2013
It might be something you could leverage for your environment w/o unleashing full access to everything.
