Help

User Level Configuration Profile applying at Computer Level

Go to solution
jshipman
New Contributor III

Posted on β€Ž05-29-2013 09:17 AM

I have a user level configuration profile that is intended to restrict system preferences so that students cannot access many of them. However this profile is applying when I login as the local administrator. Any idea why this might be happening. My Configuration Profiles looks like so:

1 Restrictions Payload
Level set to: User Level

Scoped to Student computers and student LDAP groups.

Is there anyway to add an exception to a local account... shouldn't the local account be an exception by default since it's a user level profile?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
jshipman
New Contributor III

Posted on β€Ž05-30-2013 06:12 AM

Here is the solution via the great Tom Larkin!

Create a separate configuration profile scoped to the same group of computers as the restrictions payload and create a Login Window payload, there is an option under the Options tab to allow administrators to bypass the management. If you have that box checked (Computer Administrators may refresh or disable management), When you login as a local admin it will prompt you to choose whether you want to bypass management.

This works great for me. Let me know if any of this is unclear, tuinte

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
tuinte
Contributor III

Posted on β€Ž05-29-2013 01:28 PM

I don't know if I have your answer, but...

I have a pretty much identical Profile: User Level, scoped to an all.users LDAP group. It was getting applied to the local admin on each machine. I checked and there was a directory user in the group with the same shortname as the local admin. I removed the user from the group (actually, I deleted the user entirely. It was a remnant from some testing way back) and it works now.

None of that makes any sense, of course, because, even with the user in the LDAP group, the local admin was NOT that LDAP user.

What I'd love to hear from someone here smarter than me, is a way for a simple exclusion for these User Level profiles, or a blanket way to say: Do not apply to Admin users.

I shall be watching the thread!

Michael

0 Kudos

Go to solution
jshipman
New Contributor III

Posted on β€Ž05-30-2013 06:12 AM

Here is the solution via the great Tom Larkin!

Create a separate configuration profile scoped to the same group of computers as the restrictions payload and create a Login Window payload, there is an option under the Options tab to allow administrators to bypass the management. If you have that box checked (Computer Administrators may refresh or disable management), When you login as a local admin it will prompt you to choose whether you want to bypass management.

This works great for me. Let me know if any of this is unclear, tuinte

0 Kudos

Go to solution
tuinte
Contributor III

Posted on β€Ž05-30-2013 06:31 AM

Well, that is exactly what I want. One quick question: why not distribute the payload in the same config profile as the restriction? Not averse to creating another profile (already have a bunch), just wondering if there is a specific reason?

Thanks, though. Really. It's nice when the answer is "Check this box".

Michael

0 Kudos

Go to solution
devibeck
New Contributor III

Posted on β€Ž05-15-2015 08:12 PM

I know this is an old post, but I found it very helpful today as well as this post: https://jamfnation.jamfsoftware.com/discussion.html?id=13449

The link explains how to bypass management when logging in with admin credentials

0 Kudos