![]() If you’re unfamiliar, Jamf Connect is the branded proprietary successor to the open-source project known as NoMaD which offers to synchronize your local password with your cloud IdP credentials. As the title suggests, this time I’m talking about Jamf Connect. I know more than anyone how cliche it is to answer every MacOS MDM questions with “just use Jamf Pro” so I won’t even mention it beyond this point (though the process is nearly identical for both platforms). Wait! Before you roll your eyes and unfollow me on Twitter, just hear me out. It’s not a requirement and Intune will happily manage the device regardless of the logged in user’s privileges, but how can we find the middle ground between a restrictive account posture and administrative accessibility like we can on Windows? With Jamf of course! But what about MacOS? At the time of this post, Microsoft simply expects Mac Users to be admins on their own devices and sidesteps the issue entirely. In Azure, Azure AD joined Windows devices (excluding hybrid AD join) will accept any identity as a local administrator simply by adding them to the Local Administrator role. The hard to swallow truth is with cloud IdP solutions like Azure and Okta having a nearly ubiquitous presence in our post-lockdown global economy these archaic workarounds simply have no justification in modern management. Historically, unmanaged identities – especially with a shared password – were often a necessary evil without tools like LAPS and an omnipresent IdP to allow admins to elevate and resolve issues like local account permissions and domain trust relationships. To my dismay, despite copious warnings to not put such an experiment into production I regularly recieve emails thanking me for such a solution because Microsoft simply refuses to offer one and – to be clear – for good reason. Since starting this blog last year, my most popular post by far has been Using Intune to Create and Demote Local Admins on MacOS. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production. As the name suggests, these accounts are based on experiences I’ve had in my own lab. In Mac OS X 10.5 and later, the group _access is modified instead of sshd_config.Disclaimer: This blog is not intended to be advice on how to manage your environment. secureSSH Modifies the /etc/sshd_config file to lock out all other users networkUser Creates an account with a UID over 1025 hiddenUser Creates an account with a UID under 500 and hides it admin This flag adds the user to the admin group. picture The user's picture for the Login window home The location of the user's home directory passhash The hashed password of the user Usage: jamf createAccount -username -realname ![]() Running jamf -help createAccount in terminal will bring up the following information for you. You can create the account and allow it to be hidden by using the jamf binary. ![]() Then you can have a better feel for which ones are actually using the correct account as opposed to an old one and take more selective action. As such, I suggest first creating the Extension Attribute and letting your Macs submit new inventory. ![]() Its slightly overkill since some of them may already be using that account anyway. ![]() If you're not opposed to simply pushing out a new QuickAdd in a run once policy to all machines, that might be the easiest way. This would only make the account but not necessarily switch the Mac to use that as its management account. Might be better to script it from the get-go if you go that route. Only problem is I don't think that lets' you make a hidden account. Or, you could use a policy to create a new account under the Accounts tab. You could run a policy on your Macs to re-enroll them with a new QuickAdd.pkg that uses an existing account if present, or creates it if its not there and uses that as the management account. There are a few ways you can address this. The management account, whether hidden or not, is used by Casper Suite to elevate its privileges to root when running certain operations so it can do what it needs to do, like install software, change settings, etc. Even though that option lets you set a new management account, its not going to create it on them. Yes, the account must exist if you plan to still have the Macs manageable. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |