Help

User Admin Access?

Go to solution
ndudley
Contributor

Posted on ‎02-24-2014 04:54 PM

I was wondering if anyone has had any experience in an environment where end users have administrator privileges? We are currently throwing around the idea of making users admins and restricting a majority of software and apps, like terminal and Torrent applications.

We currently don't have a dedicated Casper person to update and manage packages and it also would be a big perception booster for IT. Also, a major portion (read: all) of our end users aren't very savy with the computers - which is another reason we are really considering this.

Can anyone think of a reason to not allow end users admin access if we add a blacklist of applications and have smart groups that show us if anything changes? I would love to hear opinions and criticisms!

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mpermann
Valued Contributor II

Posted on ‎02-24-2014 07:29 PM

@ndudley, have a look at the following thread for some discussion on the topic.
https://jamfnation.jamfsoftware.com/discussion.html?id=9329

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
tuinte
Contributor III

Posted on ‎02-24-2014 05:32 PM

There are always applications you'll miss with a blacklist. No one could possibly make an exhaustive list of all applications that could do harm to the computer or your network, not entirely.

With admin privileges, they could turn SSH off, or change the password to your management account, or delete the account entirely, or force unbind the machine (if using a directory service). You can smart group it to flag any of those scenarios in your JSS, but then you're kind of at a loss to re-enforce your IT policies without getting your hands on the machine physically. The fallout in some extreme cases (i.e., a disgruntled employee) may not be worth the risk.

But if you can live with these, go crazy. Sounds nice. :P

Michael

0 Kudos

Go to solution
mpermann
Valued Contributor II

Posted on ‎02-24-2014 07:29 PM

@ndudley, have a look at the following thread for some discussion on the topic.
https://jamfnation.jamfsoftware.com/discussion.html?id=9329

0 Kudos

Go to solution
franton
Valued Contributor III

Posted on ‎02-25-2014 04:42 AM

If you want to just do specific users on specific computers, I'm using this as part of an extension attribute.

https://github.com/franton/Add-Users-as-Admin-JSS

0 Kudos

Go to solution
ndudley
Contributor

Posted on ‎02-25-2014 10:28 AM

@mpermann Thanks so much! I read that article when it first appeared, just completely forgot about it!

0 Kudos

Go to solution
Chris_Hafner
Valued Contributor II

Posted on ‎03-04-2014 06:18 AM

This all depends on your environment and user responsibility. Our faculty here are local admins and the students are not. There's always a back and forth. However, at least with Casper and profiles, it's not that bad. Once a user starts really breaking something you can come along and clean up after them... while making sure it doesn't happen again on anything else!

0 Kudos

Go to solution
jennifer
Contributor

Posted on ‎03-04-2014 07:25 AM

I've been looking at using the "Make Me Admin" option from @Andrina from her JNUC2013 presentation.
She's posted it all here: https://github.com/andrina/JNUC2013

It might be something you could leverage for your environment w/o unleashing full access to everything.

0 Kudos