Help

Management account after enrollment?

Go to solution
ganidran
New Contributor III

Posted on ‎10-10-2023 01:46 PM

Is there a way to either create or assign an admin account as the "management account" after enrollment? We were told by Jamf to turn off that feature in the user-initiated enrollment settings due to the recent issues that setting presents when enrolling (PI113195 - Account Creation is skipped if a management account is enabled under UIE on Mac OS Sonoma).

Obviously this isn't ideal but since we've had to turn it off, wondering if we can create an admin policy on newly enrolled machines and somehow make that the management account? Hoping that can be done. Creating the account is easy but unsure if able to tie it as the management account ¯\_(ツ)_/¯ 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
talkingmoose
Moderator
Moderator
In response to ganidran

Posted on ‎10-11-2023 08:18 AM

Just the Local Accounts payload should do well. It can create an admin account. You can optionally locate the home directory in the hidden /private folder (see the example above the field).

Depending on your needs for security, my recommendation would be to not create a shared IT admin account at all. It becomes a single vulnerability across all your computers. And enabling a shared IT admin account for FileVault makes that even worse.

Take a little time to plan your support workflows. When it’s generally available, use Jamf Pro’s LAPS account feature as your shared IT admin account. You can audit just who is using it. And escrow the FileVault Personal Recovery Key in Jamf Pro if you need access to unlock the disk. From an account perspective, you’ll have the most secure posture possible this way.

I’m not privy to our plans for our LAPS work, but I would hope it’ll be done by end of this year given the pace of its development.

View solution in original post

9 REPLIES 9

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎10-10-2023 03:00 PM

Is this so you can use it as a shared IT admin account? If so, use a policy to create that account instead.

The Jamf Pro management account is currently getting integrated into Jamf Pro LAPS workflows and soon you’ll have less use for it as a shared account.

0 Kudos

Go to solution
A_Collins
New Contributor III

Posted on ‎10-10-2023 09:42 PM

If I did not misunderstand, what you are asking is quite simple. Do it via policy using local accounts payload as talkingmoose said and put enrollment as a trigger. 

0 Kudos

Go to solution
ganidran
New Contributor III

Posted on ‎10-11-2023 07:32 AM

Is it truly that simple? That's great! Yes, it'd be a shared account for the support team. Is it better to have a script run to create the account or use the local accounts payload? 🤔

0 Kudos

Go to solution
talkingmoose
Moderator
Moderator
In response to ganidran

Posted on ‎10-11-2023 08:18 AM

Just the Local Accounts payload should do well. It can create an admin account. You can optionally locate the home directory in the hidden /private folder (see the example above the field).

Depending on your needs for security, my recommendation would be to not create a shared IT admin account at all. It becomes a single vulnerability across all your computers. And enabling a shared IT admin account for FileVault makes that even worse.

Take a little time to plan your support workflows. When it’s generally available, use Jamf Pro’s LAPS account feature as your shared IT admin account. You can audit just who is using it. And escrow the FileVault Personal Recovery Key in Jamf Pro if you need access to unlock the disk. From an account perspective, you’ll have the most secure posture possible this way.

I’m not privy to our plans for our LAPS work, but I would hope it’ll be done by end of this year given the pace of its development.

Go to solution
ganidran
New Contributor III
In response to talkingmoose

Posted on ‎10-11-2023 09:28 AM

Totally! When LAPS launched, it was tied to the management account and we enjoyed it's security. That was another reason why I was asking if we can create an account separately and somehow tie that to be the management account but seems it can only happen with the UIE settings :/ - hoping to fully use LAPS from this point on. We don't want to go back to a single local admin user with the same password again 😅

0 Kudos

Go to solution
talkingmoose
Moderator
Moderator
In response to ganidran

Posted on ‎10-11-2023 09:37 AM

talkingmoose_0-1697042213869.jpeg

0 Kudos

Go to solution
tantonw
New Contributor

Posted on ‎11-21-2023 03:22 PM

So going back to the original question and the problem with PI113195... if the workaround for PI113195 is to disable creation of the Jamf management account, and there's no way to create or assign the Jamf management account after enrollment is complete, then any workflows related to LAPS using the Jamf management account are permanently broken on any machines being deployed with that workaround in place.  Correct?

Go to solution
markopolo
Contributor

Posted on ‎03-21-2024 07:45 AM

Following up on the original question, what can I do to incorporate the new LAPS functionality (for both Jamf framework and MDM, as we have both UIE and ADE-enrolled in our environment). Do I really have to re-enroll all my UIE machines because I had already turned off the management account for Jamf framework? I had been waiting for LAPS in the GUI to roll it out, but now it seems I can't without some major work.

0 Kudos