User Level Configuration Profile applying at Computer Level

jshipman
New Contributor III

I have a user level configuration profile that is intended to restrict system preferences so that students cannot access many of them. However this profile is applying when I login as the local administrator. Any idea why this might be happening. My Configuration Profiles looks like so:

1 Restrictions Payload
Level set to: User Level

Scoped to Student computers and student LDAP groups.

Is there anyway to add an exception to a local account... shouldn't the local account be an exception by default since it's a user level profile?

1 ACCEPTED SOLUTION

jshipman
New Contributor III

Here is the solution via the great Tom Larkin!

Create a separate configuration profile scoped to the same group of computers as the restrictions payload and create a Login Window payload, there is an option under the Options tab to allow administrators to bypass the management. If you have that box checked (Computer Administrators may refresh or disable management), When you login as a local admin it will prompt you to choose whether you want to bypass management.

This works great for me. Let me know if any of this is unclear, tuinte

View solution in original post

4 REPLIES 4

tuinte
Contributor III

I don't know if I have your answer, but...

I have a pretty much identical Profile: User Level, scoped to an all.users LDAP group. It was getting applied to the local admin on each machine. I checked and there was a directory user in the group with the same shortname as the local admin. I removed the user from the group (actually, I deleted the user entirely. It was a remnant from some testing way back) and it works now.

None of that makes any sense, of course, because, even with the user in the LDAP group, the local admin was NOT that LDAP user.

What I'd love to hear from someone here smarter than me, is a way for a simple exclusion for these User Level profiles, or a blanket way to say: Do not apply to Admin users.

I shall be watching the thread!

Michael

jshipman
New Contributor III

Here is the solution via the great Tom Larkin!

Create a separate configuration profile scoped to the same group of computers as the restrictions payload and create a Login Window payload, there is an option under the Options tab to allow administrators to bypass the management. If you have that box checked (Computer Administrators may refresh or disable management), When you login as a local admin it will prompt you to choose whether you want to bypass management.

This works great for me. Let me know if any of this is unclear, tuinte

tuinte
Contributor III

Well, that is exactly what I want. One quick question: why not distribute the payload in the same config profile as the restriction? Not averse to creating another profile (already have a bunch), just wondering if there is a specific reason?

Thanks, though. Really. It's nice when the answer is "Check this box".

Michael

devibeck
New Contributor III

I know this is an old post, but I found it very helpful today as well as this post: https://jamfnation.jamfsoftware.com/discussion.html?id=13449

The link explains how to bypass management when logging in with admin credentials