![]() ![]() We’re going to build out a Self Service method for our field techs and help desk agents to be able change the password for our hidden management/admin account to a known password (something we perhaps store in a password vault and rotate regularly). If both of those can be accomodated, then it is possible this workflow could be adapted. Can this workflow be adapted for UIE enrolled devices? Probably, but it would require the creation of our admin account along with the escrow of the Bootstrap token. Note: This workflow is for devices that are enrolled via Automated Device Enrollment only. So how do we turn this into a workflow that is real world? Then when you need to use that account for admin duties, you can use a Jamf Pro policy to change the password to a known password, do the needful, and then re-randomize the password. ![]() By randomizing the password you prevent the same password from being on all of your devices. Then using policies in Jamf Pro, after the Bootstrap Token has been escrowed to Jamf Pro, you can randomize this account password. The workflow they outlined is to create the PreStage account and the Management Account that is used for User Initiated Enrollment (UIE) with the same password. There’s a better way to handle this with Jamf Connect and just in time provisioning of an admin account, but this workflow is for those that maybe are not using Jamf Connect, yet. You know, times like when you need to install software on a machine, or do some other admin task but don’t have a user account that is admin. One of the workflows that they presented was to utilize the local admin account that is created during a PreStage enrollment as a local admin account for times when you need an admin account. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.During JNUC 2022 the GOATs, Mark Buffington and Sean Rabbitt, presented “ One Account to P0wn Them All: How to Move Away from a Shared Admin Account”. ![]() It is recommended that you choose the Randomly generate passwords option for maximum security. To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. Perform authenticated restarts using a policy (when SecureToken is enabled on the management account) Generate a personal recovery key using a policy (when SecureToken is enabled on the management account) Using a policy to administer the management account allows you to do the following:Īuthentication to initiate an SSH session using Jamf Remote for the computer to check in to Jamf Pro to run policiesĮnrolling computers with macOS 10.15.7 or earlier using Recon, including creating a QuickAdd.pkg for Jamf binary enrollmentsĮnable FileVault using a policy (when SecureToken is enabled on the management account)Īdd or remove users from FileVault using a policy (when SecureToken is enabled on the management account) The management account only needs to be created if you want to perform the following tasks on the computer: However, choosing to create the management account on computers is optional and is only required for some workflows. This is required for computers to be considered managed by Jamf Pro. When you enroll computers, you must specify a local administrator account called the "management account".
0 Comments
Leave a Reply. |