Whats the difference between "Users" and "JSS User Accounts" ?

Contributor II

There are apparently two differently places to add users.


What is the difference between these two?


Contributor III

"Users" are users on the actual devices (macOS clients, iPads, etc.). "JSS User Accounts & Groups" are all those indiviudals that have access to the JSS or their respective AD groups that have access. For example we have certain AD groups in our IT department that have access to the JSS, so they would be in the "JSS User Accounts & Groups".

Obviously if they have a device provisioned to them and also have access to the JSS management system, you would see their name in both those views.

Hope that makes sense!


Valued Contributor II

Hi @stevenjklein ,

This information can be found in the Casper Suite Administrator’s Guide.

Specifically, it can be found here and here.

In a nutshell, the first image shows where you can add JSS users who will be able to log in to the JSS and perform various tasks based on the permission set you give them.
The second image is used to assign user based items (VPP, eBooks, Configuration Profiles, etc...). Those users are your end users, more or less; they can be LDAP based or manually created, though many environments use LDAP for users.

Amanda Wulff
Jamf Support

New Contributor III

Users represent the users in your environment, typically LDAP users, that are logging onto or can be assigned devices. JSS Users are the users who actually have an account and can log into the JSS Console itself. These are typically technicians, administrators, etc.

If you have an Active Directory or LDAP environment, your JSS Users and Users will come form the same source. All users can access the enroll site, Self Service, and be assigned to a device. However, only users whose account has been added to the JSS User Accounts can actually log into the JSS site itself.

Legendary Contributor II

@stevenjklein "JSS User Accounts" is mostly for who can log in and access the JSS interface and controls. "Users" is a collection of user accounts on the Macs you may be managing in your JSS. The former may only contain a small number of accounts or groups. The latter may contain thousands of accounts since its based on the users that log into their respective machines. Accounts that show up in "Users" won't necessarily have the ability to log into your JSS, unless you also add them into "JSS User Accounts & Groups"

So they are two different things, and used for two different purposes.

Edit: Haha! That was a serious flurry of answers! I trust you know the difference now. :)

Contributor II

Four responses in 4 minutes! You folks are amazing!

Working with a Windows admin, we linked our JSS to Okta SSO (which is linked to our AD). My JSS now looks like this:

 Local Admin is an emergency backup, in case SSO fails. The two groups are from AD.

If I understand the above answers correctly, I can ignore both types of Users completely, and just use the AD-linked Groups to grant appropriate access and privileges to linked AD groups.

Is my understanding correct?

Legendary Contributor II

Yes, your understanding is correct. As long as you maintain that local JSS account as a backdoor (in case your AD connection gets broken), you can use the group privilege assignments and any AD based users in either of those 2 groups will be able to log in and use the console.