Sorry if I’m asking stupid questions, I am fairly new to system administration and this is my first time working with Jamf.
I am setting up my computers with a local admin account and then we create a local standard account for the user. After that we enroll the computer in Jamf and connect the computer to the user in Jamf via Cloud Identity Providers were I have set up Azure AD. I need to restrict the user from access lots of the system setting , but I need the admin account to be able to access these setting. I have a configuration profile set up to restrict the system setting however if I set it at the user level it doesn’t lock these down for any user no matter what I set under scope. If I set it at the computer level it is locking it down for all users. I also have a lot of Restricted Software under the Restricted Software section some of which the admin my need to access, I have not tried changing the setting in there yet but I expect it will behave the same way.
For Restricted Software, click on the Exclusion tab when in the Scope section, and then click "LDAP/Local Users" to add a specific user account to exclude from the Restricted Software title.
For user level profiles, there is something to keep in mind. Only one local user account can be "MDM enabled" per device, which is required for it to be able to have a user level profile applied. This restriction doesn't apply for LDAP based accounts, strangely enough.
Not every profile payload is going to work as User Level also. For the profile payload you're talking about - Restrictions - I don't think I've used it in a User Level profile before, or at least not in a long while, so I'm not sure how that works. But give it a try. You can use the same exclusion tab as above to exclude the local admin user if you'd like to try it.
Keep in mind also that you may not see User Level profiles apply right away. Sometimes a log out/log in is required for them to get installed.
I was able to get this working by adding my admin account under Users in Jamf and then creating a smart group that has the admin account as a member. after that I set my restricted setting scope to all computers and all users and under the exclusions I added my smart group.
I have not been able to get the Restricted Software working of the admin account but I will keep working on it, it is not as important to get that working.
I forgot to ask you. Is the Restricted Software title working in general, but just not excluding the local admin you entered in the Exclusion tab, or is it not working at all? Because new Restricted Software titles take a little time to apply to devices. It's not immediate, because the Mac needs to check in and update its management framework before the restriction will take effect. Just wanted to mention that in case you were seeing it not being applied right away.