![]() ![]() Wait! Before you roll your eyes and unfollow me on Twitter, just hear me out. It’s not a requirement and Intune will happily manage the device regardless of the logged in user’s privileges, but how can we find the middle ground between a restrictive account posture and administrative accessibility like we can on Windows? With Jamf of course! But what about MacOS? At the time of this post, Microsoft simply expects Mac Users to be admins on their own devices and sidesteps the issue entirely. In Azure, Azure AD joined Windows devices (excluding hybrid AD join) will accept any identity as a local administrator simply by adding them to the Local Administrator role. The hard to swallow truth is with cloud IdP solutions like Azure and Okta having a nearly ubiquitous presence in our post-lockdown global economy these archaic workarounds simply have no justification in modern management. ![]() Historically, unmanaged identities – especially with a shared password – were often a necessary evil without tools like LAPS and an omnipresent IdP to allow admins to elevate and resolve issues like local account permissions and domain trust relationships. To my dismay, despite copious warnings to not put such an experiment into production I regularly recieve emails thanking me for such a solution because Microsoft simply refuses to offer one and – to be clear – for good reason. Since starting this blog last year, my most popular post by far has been Using Intune to Create and Demote Local Admins on MacOS. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production. As the name suggests, these accounts are based on experiences I’ve had in my own lab. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.Disclaimer: This blog is not intended to be advice on how to manage your environment. It is recommended that you choose the Randomly generate passwords option for maximum security. To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. Perform authenticated restarts using a policy (when SecureToken is enabled on the management account) Generate a personal recovery key using a policy (when SecureToken is enabled on the management account) Using a policy to administer the management account allows you to do the following:Īuthentication to initiate an SSH session using Jamf Remote for the computer to check in to Jamf Pro to run policiesĮnrolling computers with macOS 10.15.7 or earlier using Recon, including creating a QuickAdd.pkg for Jamf binary enrollmentsĮnable FileVault using a policy (when SecureToken is enabled on the management account)Īdd or remove users from FileVault using a policy (when SecureToken is enabled on the management account) The management account only needs to be created if you want to perform the following tasks on the computer: However, choosing to create the management account on computers is optional and is only required for some workflows. This is required for computers to be considered managed by Jamf Pro. When you enroll computers, you must specify a local administrator account called the "management account".
0 Comments
Leave a Reply. |