Jamf Nation Community

jleomcdo · 2 weeks ago

I would like to know if JAMF Pro supports "Privileged identity management (PIM)". After logging into the Jamf Admin website, we would like to require our IT users to PIM before doing certain actions. For example, before viewing a FileVault Recover Key.

I know that in Microsoft Azure console/webpage, our company requests us to PIM before doing "admin" task.

Ashok_A · 2 weeks ago

Yes, that's achievable!

First, you'll need to follow the standard Azure PIM Process to establish the Security Groups. Then, add that security group under Jamf Pro Settings > User Accounts and Groups > Add Directory Service Group. Adjust the set of privileges as desired for members eligible for assignment within the specific Azure Security Group.

jleomcdo · Tuesday

I now have a PIM group setup in Azure and allowed my account to "pim". I then added that group to the Jamf server as a Directory Service Group. I assigned that group only the rights needed to view the FileVault Recovery Keys.

The problem that I'm running into is that my account is a member of another group that has full rights to the jamf server. So, I'm still allow to see the key, even if i'm not "pim" (a member of the PIM Group).

Because, I'm testing on a Dev server, I changed the permissions of the other group(s) to include everything, except the "View Disk Encryption Recovery Key" permission. But now I can't view the FV key. Even after I PIM and have been added to the "PIM Group".

I'm thinking that because my account is a member of multiple groups, that my effective permissions are the "most restrictive" of them combination.

Thoughts?

Ashok_A · Tuesday

Yes, you are correct!

You might be part of another Azure Security group that has full access to the Jamf Pro Server. I recommend checking with a co-worker who is not administering Jamf Pro, or you can create a dummy Azure user (we usually have one for testing the onboarding workflow and other tests).

AJPinto · 2 weeks ago

Jamfs only access check is when logging in to the console. There is not a way to trigger a "secondary access check" when doing a specific task like viewing a recovery key. You either have access or you don't.

I would suggest having Admin Accounts that have their Passwords regularly rotated and vaulted and set them up with MFA. Then move any access you define as privileged to those admin accounts and leave nonprivileged access to standard accounts. i.e. each user would have two accounts, one standard and one admin (if they needed privileged access).