Jamf Nation Community

Temporary User Promotion sounds great, but from what I'm reading it looks to not be limited to a specific user+machine combination.  Is that correct? 

If so, that sounds like a good thing for IT or Help Desk, but maybe not a full replacement for something like the Privileges app.  Still, a great first step in that direction.

@McAwesome Temporary User Privilege promotion can be filtered by two methods currently: Role Based Elevation and differential configuration distribution .. For Role Based configuration, the user, after authenticating in part of the flow is gated by matching the role of the user provided by the IDP with the approved roles in an array in the configuration. This also allows promotion duration to be varied by roles for the users.

If this flow isn't preferred one can target users by Jamf Pro Groups giving intended users a configuration with the feature turned on, while providing non-targeted users with the feature turned off.

Jamf Connect Configuration now provides a notification with information on new features

Is there a way to disable this? When managing hundreds / thousands of Macs, the last thing we want is users to be calling asking questions about a mostly hidden process that suddenly provides confusing technical information that doesn't apply to 99% of the user base.

@user-TykYEzpbkp That's referring to the Jamf Connect Configuration application, not Jamf Connect.  The end user won't be seeing it.

@McAwesome 

I am curious what is missing between this new feature and Privileges? I have looked at Privileges in the past, but never implemented. I am wondering what I am missing?

@Tribruin 

Admittedly, only just started playing with this feature.  That said, the main thing I see is having a streamlined way to approve elevated privileges for a user on only their machine.  You may trust Steve and Dave with admin rights on their computers, but you don't want Steve to have admin on Dave's machine.

With Privileges, you can limit it by putting the $USERNAME variable into the LimitToUser field in the config.  This ensures only the assigned user on the machine is allowed to elevate their user rights.  Steve can sign into Dave's machine, but he can't do admin tasks.

With this new route, it looks like you can do that....by creating and deploying a separate Azure role per user per machine.  It's possible, but cumbersome enough I know I wouldn't do it.  At that point, you'd have to choose whether to give an individual user admin access to all machines with Jamf Connect's Privilege Elevation enabled or just not use it at all.

I should note that I am really liking this addition, and the easy to understand UI associated with it.  It's like 90% of where I want it to be, which for a first release is fantastic.

Looks really good. Thanks very much for this additional feature in Jamf Connect.

However, to make it a realistic option for us to migrate from Privileges:

1. Like @McAwesome mentioned, we'd need a LimitToUser field to use a Jamf Pro variable.
2. To be Cyber Essentials compliant I believe any use of admin right needs to be restricted to a temporary secondary account now. Elevating privileges of the primary account won't pass.

Are either of these planned for a future update?

has anyone here tried getting notifications sent to a Teams channel or Slack when people request to elevate privileges via Jamf connect? Looking to see if anyone can help me here: https://community.jamf.com/t5/jamf-nation/jamf-connect-admin-and-teams-channel-notifications/m-p/312...