![]() ![]() This workflow creates just-in-time accounts for one-off administrator tasks, such as a password reset. Workflow #2: How to create an admin account just-in-time in a MacOS client and then delete it after one-time use Once Jamf Pro stores a randomized “Management Account” password, a policy can be deployed to set to a known password, then be randomized after use. The management account now adopts the account created in PreStage.Implement a policy to “Change Account Password” for the management account and scope it to Smart Group “Has Bootstrap Token escrowed”.The Computer Extension Attribute and Smart Group determine whether a Bootstrap Token has been escrowed.Configure Jamf Pro User-Initiated Enrollment settings with the same username and password values defined.Select “Create a local administrator account before the setup assistant” in the Jamf Pro PreStage.This workflow requires an additional admin created during setup assistant, a Jamf Management Account configured with the same credentials and an Extension Attribute to determine whether a Bootstrap Token is escrowed. The first workflow helps create a random password for an admin account, rather than a manual one known by IT. ![]() Workflow #1: How to randomize the password of a Managed Admin user created in a Jamf PreStage Buffington and Rabbitt walk us through three workflows that best manage the creation and use of administrator accounts on managed Macs. Instead, the Mac admin account can use a FileVault personal recovery key, which is powerful enough to reset a password, boot to recovery or authenticate to boot with Apple silicon, which keeps your devices secure. Or maybe you are running a legacy workflow in Jamf Pro that is automatically creating an account on older operating systems. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.There are multiple reasons why you want to add a local admin account onto a managed Mac, such as for a password reset or for forensic backups. It is recommended that you choose the Randomly generate passwords option for maximum security. To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. Perform authenticated restarts using a policy (when SecureToken is enabled on the management account) ![]() Generate a personal recovery key using a policy (when SecureToken is enabled on the management account) Using a policy to administer the management account allows you to do the following:Īuthentication to initiate an SSH session using Jamf Remote for the computer to check in to Jamf Pro to run policiesĮnrolling computers with macOS 10.15.7 or earlier using Recon, including creating a QuickAdd.pkg for Jamf binary enrollmentsĮnable FileVault using a policy (when SecureToken is enabled on the management account)Īdd or remove users from FileVault using a policy (when SecureToken is enabled on the management account) The management account only needs to be created if you want to perform the following tasks on the computer: However, choosing to create the management account on computers is optional and is only required for some workflows. ![]() This is required for computers to be considered managed by Jamf Pro. When you enroll computers, you must specify a local administrator account called the "management account". ![]()
0 Comments
Leave a Reply. |