Help

A World without Local Admin Accounts

peterlbk
Contributor
‎09-28-2022 06:15 AM

Safe and secure Mac management worldwide

The world has changed during COVID times. Nearly all of us work at remote locations for multiple days a week. Our devices travel along and pop up at any location anywhere on earth. And also, because of the general availability of the internet, this behavior is now generally accepted.

As Apple admins, we must think about managing Macs and rethink which switches to flip. We have already covered a lot of security policies: our devices are registered in Apple Business Manager, they are managed in a device management server, we implemented security policies based on CIS benchmarks, and we enforce FileVault encryption — just to name a few steps we already have taken to increase the level of management and security. Apple admins need to keep all devices as secure as possible, so next, we decided to rethink those local admin accounts.

No account, no risk

These are accounts on the Macs with a — hopefully — secure password and administrative access onto the device. You may already feel where this is going: “Why would we ever require the need of a generic local admin account which is identical among all devices?” The answer to that question is: that is clearly not a good idea.

Some solutions include tools that generate ‘passwords of the day’. We claim that passwords that are generated by static rules are also static. And once those rules are known, one can reuse those passwords. Even the German Enigma machine was cracked. Hackers just love users with a false sense of working securely. Hence the idea of a device without a local administrator. No lock on the door to crack means no access. There isn’t even a door, no available account.

CalleyO_1-1663987203088.png

 

Access and support

So how can we provide a setup without a local admin? At DPG Media, we manage our Macs with JAMF Pro, and we use JAMF Connect to enforce password complexity for the user account. The combination of Macs with these tools allows us to manage the devices easily. The real question is how to support users and the service desk.

We have a policy set up in Self Service which grants administrative access to the local user until the next check-in of the device to the JAMF instance. So the people from our service desk can grant temporary admin access to those users. This allows the service desk colleagues to help users with tasks requiring elevated rights.

Simple gains

Having only one user logged on to the device also solves other issues, like the first user logging on to a Mac is MDM enabled — allowing an MDM solution like JAMF Pro to manage certain user-specific management settings. If that first created user is the local admin, then that account will be MDM enabled. Which will not allow the users to have their device managed as required. Another issue solved is the secure token which would be granted to the local admin account and not the user (the implementation of encryption keys, when they’re generated, and how they’re stored on a Mac are all part of a feature known as secure token)

Anyway, without going too much into technicality, at DPG Media, we deploy our Macs without any local admin account provided since 2020. All users can travel to any location and work with their Macs like before. Rethinking the way we deploy Macs has changed policies not just because the world has changed. Our goal has always been to manage Macs as securely as possible while still allowing them to be as easy to use as Apple designed them.

3 Comments
jamf-experian
New Contributor II
‎09-30-2022 03:59 PM
‎09-30-2022 03:59 PM

Can you share the SS policy please, I'd like to test this workflow.

Thank you.

matthewtanner
New Contributor
‎10-09-2022 11:23 AM
‎10-09-2022 11:23 AM

Personally I have been debating admin vs user for several years, with Windows, and Mac. In todays modern mobile work environment it becoming challenging. Like you said with the Mac there are some huge advantages if you're able to deploy it as a true MDM device and no local admin account. 

rastogisagar123
Contributor II
‎10-14-2022 08:07 PM
‎10-14-2022 08:07 PM

Awesome!!

About the Author
I'm a technology evangelist with strong skills centred around Microsoft products and a passionate geek with big ideas to sell. Like many other people you know or have spoken to, I started out supporting users and answering telephones, I learnt a great deal, a little about technology (that people didn't like) but a lot about people - what makes them tick! These days much of my time is spent exploring ways of delighting users, going that extra mile to negate them needing to pick up the phone. Implementing technology that works with people is my love "Hey Mike, that device you gave me - it's changed my life!" that's what brings me smiles. Over the past few years I've spent pondering the work of IT and the shift to cloud, would I lose my job and need to do something more honest with my life? The answer of course was a resounding "nope!", cloud computing has reinvigorated a grey monosyllabic word in to a vibrant oil painting! No longer do we have to continue to follow processes written in hieroglyphics and continue to tread the same path of the last 15-20 years - we have options, lots and lots of options. So, from me you'd get a dynamic modern view of the world, I'd want to offer fresh ideas, challenge the traditions and bring about positive change that will delight your end users and save your business money along the way! Specialties: Microsoft Cloud, Office 365 , Enterprise Mobility Suite, MDM (InTune, Airwatch), BYOD,Windows 7, JAMF Cloud,Service Management..