Jamf Nation Community

All our users are local admins on their Macs. Its partly a historical issue, but also because we have a lot of engineers, developers and the like using Macs. We lock down certain aspects of the OS, which they hate, but its necessary to maintain security. While we can never completely prevent users from doing what they want while they have admin rights, locking down certain areas is required for compliancy purposes. In other words, its as much CYA as anything else

All that said, I would say that if there isn't some compelling reason for users to be admins in your environment, you can try making them standard accounts and really beefing up Self Service so they can feel they have some level of autonomy. Find out what the most common uses of admin level rights are that they use and try to recreate as many of those within Self Service as you can. That should help ease such a transition.

We've been bucking the trend for years at my school. Almost every student in our 1:1 has local admin rights to their MacBook Air. We do this for a number of reasons:

- mirrors the real world
- allows for a sense of "ownership" of the machine
- fosters independence and exploration and creativity
- teaches personal responsibility, which dovetails with our overall educational goal of "Gradual Release of Responsibility" that is integral to our pedagogy and curriculum.

Now, it's not completely wide-open. Students must follow our AUP which has a well-defined explanation of what's not allowed. They must also study our "MKA Driver's Manual" and take our "MKA Driver's Test" and get 100% on the test before they are allowed to be administrators. At the Middle School level, we do significant technology training before 4th and 5th graders are allowed to be admins. And MS parents must "sign-off" on the granting of administrator rights.

We also block the P2P protocol on our school network and the running of P2P apps on the clients. We filter the network at school but not at home. If a parent asks about filtering the web at home, we refer them to the free OpenDNS solution or to a Cisco Valet router.

I use Casper to push out very important security-related updates: Flash Player, Acrobat Reader, OS security updates, Java. Just about everything else is left up to the end-user to update.

Faculty must also take and pass the Driver's Test.

We're in Year 4 of this and I have to say that it's been very successful. I thought we'd see a huge number of corrupted operating systems and hork-a-borked systems, but that hasn't been the case. Occasionally, I'll see a super curious kid who's gone down the rabbit hole and needs help getting back out, but it's pretty rare. In cases like that, we simply re-image and recover from backup. Every student is responsible for backing up their computer using Time Machine to an external portable HD (that we also give them and is there's to keep if/when they leave the school). In cases where a student hasn't backed up and there's a HD failure, we say, "Sorry, you clearly don't care about your data, so why should we?"

The idea of locking down machines is a historical one, I think. It's how it's always been done in the Windows and Enterprise world, and in fact, is almost necessary in most Windows/Enterprise environments. The flexibility, agility, and security of OS X makes our preferred platform much more useful in an environment where end-users are admins.

In a perfect world, every computer use would be taught good computer usage skills, good password-creation skills, system upkeep, and basic logical troubleshooting methodology. But we know this isn't the case. By allowing our end-users to be admins and training them as best we can to be responsible users and good netizens, we feel we are contributing to the overall welfare of the computer-using population. Locking down machines and creating a war-like environment of "Us vs. Them" is counterproductive. Yes, there environments where this is warranted, but I'd argue it's a smaller number than we think. Give your end-users some freedom (with caveats) and some training and I think you'll be pleasantly surprised.

@damienbarrett][/url - Nice write up! That was an interesting read- thanks for that.

Congrats to you and your school. Its obviously a lot of work, but has also obviously paid off for you, and your students. Although its not a model that will work in every environment, it is a nice example of what can be accomplished when responsibility is at the forefront. :)

With over 6000 Macs here, most belonging to developers who need to set up and manage their development environments, admin rights are a requirement. We also try to empower our users, and of course that comes with responsibility.

If any of them were found to be attempting to bypass security measures or cause problems, they would certainly get a smackdown from our security teams.

I can't imagine trying to manage systems in an environment like a school where the users are actively trying to work against you...

@damienbarrett - we are in our first year with 1:1 and were contemplating with giving the students local admin rights to their machines. I enjoyed hearing about your story and success with the school and would like to share this with my administrators to show them that there can be a good cause to doing this with the students.

I am very interested in your "Driver's manual and test" that you have made up and that they need to pass-would like to hear more about this and, if possible, see a sample of what it looks like?

Thanks
Ryan Ohrt
IT Assistant (Independence HS)

@damienbarrett - we are in our first year with 1:1 and were contemplating with giving the students local admin rights to their machines. I enjoyed hearing about your story and success with the school and would like to share this with my administrators to show them that there can be a good cause to doing this with the students.

I am very interested in your "Driver's manual and test" that you have made up and that they need to pass-would like to hear more about this and, if possible, see a sample of what it looks like?

Thanks
Ryan Ohrt
IT Assistant (Independence HS)

Thank you for all the replies, My environment is a bit of a mixed bag, Most users have admin rights, some do not, but policy is not clearly enforced, More of a mom and pop setup sadly, IT does not have the sway to enforce things and sometimes its like trying to fight a water fall with only a cup of water sinking your ship.

We are heading toward a kick start for the first 50 users in Jan, going to be interesting to see how it is in the start, I anticipate push back from some of my users due to always being free roaming.

• http://driversmanual.mka.org | MKA Driver's Manual
• http://driversmanual.mka.org/aup/ | Acceptable Use Policy
• http://www.mka.org/page.cfm?p=492 | Technology and 1:1 at MKA
• http://www.mka.org/page.cfm?p=585 | History of the 1:1 Initiative
• http://www.mka.org/page.cfm?p=697 | 1:1 FAQ

If you PM me, I can send you a PDF of our Driver's Test that's hosted on our LMS (Moodle).

Students must get 100% on the Driver's Test. They may take is many times as it takes. The goal is true assessment and synthesis of the information, not penalization.

We update our AUP and documentation every year based on feedback from our student, parent, and faculty bodies.

@damienbarrett - excellent article you authored.
We are on the cusp of doing 1:1 MBA to the tune of about 2,000 devices…right now, everyone is standard user - and it is giving me issues. Apple is encouraging me to revisit my management strategy for most of the bullet points you listed…and I agree it will make my life easier.

I may be promoting all these standard users to Admin quite soon…cautiously as I tread into the new water….

In our environment we have the following:

- all staff assigned Macs have the primary AD user as local admin
- all student/classroom/cart Macs do not have local admin for any local or AD student accounts
- all school based Macs have an AD group set as local admin so that we can grant specific technology facilitators local admin rights

We really havent had much issue with staff being local admin through two 3-year deployments of our staff one-to-one MacBook initiative.

We reversed our lock down policy regarding local admin rights last year for teachers, admins, and staff. (Our students have iPads). I came at it with much the same thinking as @damienbarrett. Having the laptops locked down was impeding growth in technology use and technology knowledge. I realized that I would much rather be teaching people how to use technology than entering in local admin credentials and reverse engineering installers.

I'll also add that having admin access increase the available support avenues . Shortly after we opened up local admin access, I had a non-tech savvy teacher tell me how she ran into an issue in her classroom (that would have required an IT intervention) but a student was able to walk her through a fix. And there is more peer support between the teachers. I can't think of a single support issue that has come up due to expanded local admin rights

At this point I would say that our Macs are lightly managed. We prevent P2P apps and push out critical updates.

All of our Users are admins and all of the computers are managed except units that have been re-imaged by the users for developer purposes. We have had very few problems with the Users breaking the machines with admin rights, only one or two times in the last two years.

We do control all critical Application and OS updates for them and put out a fairly healthy variety of Self Service Applications to help maintain the computers.

We also have a standardized local admin account on all of the units so we can remote into them and do work as needed.

I would say overall it has been a positive experience having the Users be admins. Most of the time they don’t break the machines but occasionally they will do something weird with the permissions. A benefit to them being admins is they can update random Applications that they use without having to request the aid of Deskside Support.

We are a fairly large school district (40,000 students) and have traditionally been very locked down, so we didn't allow anyone admin rights. With our relatively small support team we've tried to meet the needs of all of our staff by packaging as much as possible and remotely supporting them. However, we are now longer able to keep up and best support people anymore so we're shifting our policy.

I agree with @damienbarrett][/url][/url's thoughts and we're moving in that direction for staff (not students). We're going to do an opt in policy for our staff to get local admin rights. If staff want admin rights, they can complete a training/AUP, in the same vein as what @damienbarrett][/url][/url does for students. By completing this, they'll then be able to run something in Self Service that will make their account an admin on that machine. We're excited about it and many of our staff members are very excited about it.

I support medical researchers who have local admin rights. By and large, we've had few problems directly associated with our users handling admin rights.

Our Macs are managed with Casper, but it's a light touch support model and we do a lot with Self Service.

Hey Everyone,

Just my 2 cents in here, as an ex system administrator, but I think it highly depends on culture, environment, and needs. I have had the great opportunity to work with tons of different organizations, both small and very large, and private, government and education with my current job. As long as you come to some realizations, expectations, and are still able to provide the proper service to your end users will determine if you give admin rights or not.

In a 1 to 1 environment, where every user has their own Mac, I would say giving them admin rights is way easier and can make a bit more of sense. In a lab, depot, shared environment where many humans are sharing the same Mac, I would say them being an admin makes a bit less sense.

In my opinion, the IT departments are also customer service departments, and all of our end users are our customers. I think their experience with a Mac should be the best end user experience they can have on a managed device. If you guy's didn't see Facebook's presentation at the JNUC last year you should check it out. They talk about managing a fast moving environment, with lots of smart users.

http://www.youtube.com/watch?v=HnU7wzSu2AA

I think as long as you proper reporting in place to meet the needs of security, inventory and asset control, and other things. There are downsides to allowing your users admin and there are upsides to it as well, and those balances will be different in each organization.

Thanks,
Tom

We're 1:1 with students with standard accounts, and it works well for us. They get the software they're entitled to at image time. Machines are reimaged each summer with latest software builds. I don't run as admin on my technician machine and rarely find a time I need to type an admin password.

http://www.jamfsoftware.com/latest/teaching-students-ethics-and-responsibility-through-the-use-of-te...

Thanks Don, for the link. But what an unflattering photo of myself! Time to renew that New Year's Resolution!

For anyone interested (we're in Northern NJ), our school welcomes anyone and everyone who is interested in deploying a 1:1 to come visit us. We've had many dozens of schools come through to see our program. If you're interested, send me an email (contact info is in my JAMFNation profile) and I'll put you in touch with our Director of Technology who can coordinate a visit.

Currently my environment has about 200 Macs. Macs are bound to AD and the business is a Windows shop. Most of the Macs are being used by Developers, which makes the Macs hard to use/manage without Admin rights. The temporary workaround to not granting admin rights is to modify the Sudoers file anytime a particular application or setting needs elevation and including the _developer group. I am also looking into the process of using the authorizationdb to help with these efforts. The only problem with this workflow is that Dev's use software that gets updated very rapidly and use a myriad of different applications.

I had the idea that Dev's could get admin rights and standard users get no admin rights. I know that when they are on network, managing the machines is pretty easy. But for scenarios where users who are mobile and dont have admin rights, how are they to add printers? Add them to _lpadmin group. But this would then allow navigating to the sharing options which is a nono in our company. There are some ways to manage machines over the internet, but our firewall rules are extremely strict.

Seeing if anyone can chime in on having a real secure yet usable workflow from the end users perspective that is not a PITA to manage.

I just put in a posting on another thread that that applies here as well.

https://jamfnation.jamfsoftware.com/discussion.html?id=12523