Jamf Nation Community

ShaferYo · ‎12-08-2023

Is there a way, on User enrolled devices, to take away admin privileges to be as close to a Pre-Stage enrollment as possible?
Just starting to integrate Jamf in with our creative Team , they use Adobe with a lot of plug-ins and file transfer services, I sent out one pre-stage enrolled device and got alot of backlash in blocking the users workflow.
That being said, I want to be able to test with a user that I can work closer with but is User enrolled so the circumstances are a little different.
Let me know any suggestions , Thanks

Tribruin · ‎12-08-2023

So, want to understand what you mean by "User Initiated" enrollment because you are mentioning Prestage.

The Prestage is used for Automated Enrollment only. User Initiated Enrollment is when a user takes an already setup comptuer, goes to a web page (https://company.jamfcloud.com/enroll) and logs in to enroll.

If you are usign a PreStage, you can create Administrator account in your PreStage before the user is created/logs in. Please be aware that Jamf will be moving the PreStage created admin to a LAPS account in early 2024 and you will not be able set the password anymore.

If you are using UIE, you can create a policy to create an admin account on the computer and specify the password. Then you run a policy to demote the user. Seach in Jamf Admin for script to demote the logged in user.

You can also look at tools such as SAP Privileges to manage whether the user is an admin or standard account.

View solution in original post

sdagley · ‎12-08-2023

@ShaferYo You can easily demote an admin account to standard via a script run from Jamf Pro after enrollment but what is your system for giving user's admin rights when they need them?

ShaferYo · ‎12-08-2023

So I have a fear of losing any Admin Access at all when demoting their account.
The Management account is turned off for user enrollment currently , as it is implemented in pre-stage enrollment.
Could there be a script to create the Admin account with the same credentials as we have in the pre-stage enrollment?
That being said I've looked into options for a self service app (that is a script) that gives admin for 30 minutes, in a perfect world I would love to have everything worked out where they would not need Admin and could request new software when needed.

Tribruin · ‎12-08-2023

So, want to understand what you mean by "User Initiated" enrollment because you are mentioning Prestage.

The Prestage is used for Automated Enrollment only. User Initiated Enrollment is when a user takes an already setup comptuer, goes to a web page (https://company.jamfcloud.com/enroll) and logs in to enroll.

If you are usign a PreStage, you can create Administrator account in your PreStage before the user is created/logs in. Please be aware that Jamf will be moving the PreStage created admin to a LAPS account in early 2024 and you will not be able set the password anymore.

If you are using UIE, you can create a policy to create an admin account on the computer and specify the password. Then you run a policy to demote the user. Seach in Jamf Admin for script to demote the logged in user.

You can also look at tools such as SAP Privileges to manage whether the user is an admin or standard account.

ShaferYo · ‎12-08-2023

@Tribruin
This is what i was asking, Thanks for the reply,
I thought this was an option but i wasn't sure of the "Best Practice"

SCCM · ‎12-11-2023

Question would be what workflows have you blocked of theirs using a prestage? If the workflows require admin, then retrospectively removing the rights isn't going to fix their issues.
That said unless they are installing manually installing stuff from the web themselves, if you deploy a self service app from adobe they shouldn't really have a issue Depending on how you buy your licences.
Manage self-service policies (adobe.com)

Jamf Nation Community

User Initiated Enrollment - How do you take away Local Admin Permissions?