And this lovely feature is built into our deletion script (found below). That’s right! Even though the MDM can hand out SecureTokens to newly created user accounts thanks to the wonders of the bootstrap token, macOS is going back to its pre-Catalina days of “protecting you from yourself” and preventing the admin account from deletion.Īka “The Workaround”, reveals that just about any tool that elevates a standard user to an admin user, even just for a short period of time, will resolve this problem. Following this process, the safest admin account on a device is the one that doesn’t exist until you need it, savvy?Īs of macOS Monterey 12.1, macOS blocks you from deleting an administrator account with a SecureToken if it’s the only admin account with a SecureToken on that device. Chances are pretty good the first user account created is a standard account if you used Jamf Connect or an Automated Device Enrollment Prestage Configuration Profile. Big Sur was the first OS that permitted a standard user account created as the first user and that user would receive a SecureToken to decrypt the machine without the additional burden of binding the Mac to a directory service, like Open Directory or Active Directory.Īgain, being a security-conscious IT professional, you probably want to follow the CIS guidelines and limit access to administrator rights only when they’re explicitly needed. When Apple introduced macOS Big Sur, they changed how FileVault SecureTokens can be distributed to users. Known gotchas - only standard users on the client: The script executed by the policy above looks for the Deadpool list, runs a j amf deleteAccount command for every user in the list, moves the Deadpool list out to a separate file to make sure the script ran, and finally runs another jamf recon command to clear the extension attribute, removing the computer from the scope of the policy in one fell swoop.The Policy is set to run with an Execution Frequency of “Ongoing”, a trigger of “Reoccuring Check-in”, and scoped to the Smart Computer Group above.A Smart Computer Group is created which utilizes the results of the EA above to dynamically gather all the computers with this Deadpool file stored.An Extension Attribute (EA) is leveraged that looks for the existence of the file created above on scoped devices.The script then runs a jamf recon command to update the computer inventory record. For the purposes of this blog, we’ll refer to this as the “Deadpool” list. Note: The target directory can be changed to another location, such as /private/tmp - or any other you wish to use so long as it contains the list of local short names that need to be deleted.The administrator opens Jamf Self Service and runs a Policy - this runs a script that looks for any account created by Jamf Connect in the last 60 minutes (which can be customized) and drops a touch file into a hidden directory, like /Library/Application Support/JAMF/Receipts.Whatever it is, admin is done, now it’s time to clean up after ourselves as a good admin should. Could be a one-off fix, could be resetting a forgotten local password. What the workflow does:Īn administrator makes a just-in-time account with the Jamf Connect login mechanism. Now, this is great, but then we run into trouble - we have a user account on a machine that we just needed for five minutes to fix a one-off type of problem, and in two years when we go back to that machine to fix another random one-off problem, now we have a user account where the admin has zero ideas as to what the local user password could be, which represents a splintering of this larger problem for IT. Jamf Connect will read an attribute from our identity provider (IdP) to determine if a user should be an Administrator or get standard rights.įor our security-conscious Mac Admins out there in the world (which should be all of you, I hope), this means that we can completely eliminate the “one ring to rule them all” type of admin accounts deployed to the fleet, usually stuck with some “secret” password that everyone in the company ends up knowing eventually. One of the great features of Jamf Connect is the ability to make a user account on demand simply by logging into the Mac.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |