Risks of staff admin users on supervised and managed devices?

MasterNovice
Contributor

A number of our issues seem to stem from trying to perform tasks from the MDM in the context of standard user sessions. In theory this is all supposed to be groovy if all users have secure tokens, bootstrap is supported by the MDM (since Nov 2021 for School), and a bootstrap token is escrowed back to the MDM by one of those admin secure token holders.

Allowing staff to be admin users would be so much easier, and I come across a number of organizations that allow this. From the Windows world I came up in, and as general best practice, policies of least privilege have always made sense. I wonder if this is actually true with supervised and managed MacOS devices though. Is there really so much risk potential that can't be mitigated by supervision and policy? We can prevent MDM profile removal, can limit application install. I supposed malware execution is a thing, but if there's AV and endpoint protection in place, upstream security at the network, etc... I'm just wondering. We really piss off a lot of staff who were used to admin before we started managing devices. We never got calls on them, ever. Now we manage and can't match the experience they had previously, are spending a TON of time trying to do so, and often failing which kills morale for the team and damages the rep between us and the business unit. 

Admin on a supervised and managed Mac in an enterprise infrastructure isn't that big a deal. Change my mind. : )

2 REPLIES 2

dvasquez
Valued Contributor

@MasterNovice I agree with you. We allow admin and all of our devices are supervised. We allow apple IDs on macOS and with the management, we can wipe them when and if we want. Allowing the end-user to be admin has smoothed over our support tickets and workflows for sure. If they happen to break something we have Apple enterprise support and ADE.  Support ensures a backup to OnDrive then we remote wipe, then the laptops build... I will wash my hands of them. I am not going to change your mind we do it and are working just fine. FYI I also like your handle, MasterNovice is a great name.  There are all kinds of other things we also do from security, Defender, Tanium, there is ProofPoint, etc.

Have a good one.

scottb
Honored Contributor

Going through this discussion right now.  Like @dvasquez , I won't try to change your mind - in fact, I'm looking for info that would also get me to change my mind and I have not found it yet :)

I'm wondering if someone has a doc somewhere comparing the two admin vs std users?  I need to compile the scenarios that this is affecting with users vs IT.