One account to p0wn them all: How to move away from a shared admin account

There are multiple reasons why you want to add a local admin account onto a managed Mac, such as for a password reset or for forensic backups. Or maybe you are running a legacy workflow in Jamf Pro that is automatically creating an account on older operating systems. Instead, the Mac admin account can use a FileVault personal recovery key, which is powerful enough to reset a password, boot to recovery or authenticate to boot with Apple silicon, which keeps your devices secure. Buffington and Rabbitt walk us through three workflows that best manage the creation and use of administrator accounts on managed Macs.

Workflow #1: How to randomize the password of a Managed Admin user created in a Jamf PreStage

The first workflow helps create a random password for an admin account, rather than a manual one known by IT. This workflow requires an additional admin created during setup assistant, a Jamf Management Account configured with the same credentials and an Extension Attribute to determine whether a Bootstrap Token is escrowed. The workflow has the following steps:

1. Select “Create a local administrator account before the setup assistant” in the Jamf Pro PreStage
2. Configure Jamf Pro User-Initiated Enrollment settings with the same username and password values defined
3. The Computer Extension Attribute and Smart Group determine whether a Bootstrap Token has been escrowed
4. Implement a policy to “Change Account Password” for the management account and scope it to Smart Group “Has Bootstrap Token escrowed”
5. The management account now adopts the account created in PreStage

Once Jamf Pro stores a randomized “Management Account” password, a policy can be deployed to set to a known password, then be randomized after use.

Workflow #2: How to create an admin account just-in-time in a MacOS client and then delete it after one-time use

This workflow creates just-in-time accounts for one-off administrator tasks, such as a password reset. It requires Jamf Connect, Jamf Pro, and Jamf Self Service. In this workflow, Jamf Connect creates an account based on identity management credentials; then a Smart Computer Group in Jamf Pro finds recently made accounts to delete on demand. This workflow has the following steps:

1. Admin creates a new account with Jamf Connect login
2. Admin does one-off tasks
   1. The account is granted a SecureToken via Bootstrap token in case of a reboot.
3. Admin runs policy in Self Service to clean account
4. A recurring check-in in Jamf Pro deletes the account after logout

Rabbitt shows a demonstration of this process and walks trough the script, which uses components from Jamf Connect and MacOS.

Workflow #3: How to remove the Jamf Management Account completely

If your Jamf Pro instance requires account creation in PreStage, this account can be removed with this workflow. Jamf Pro may create an unwanted admin account for legacy workflows that use Jamf Remote or macOS Catalina and earlier-- in these situations, the admin account is required. For other scenarios, there is a policy for this built into Jamf Pro called Remove jamfManagement Account. In case of failure to delete:

1. Check SecureToken status of account
2. Check if this is the only admin account with a token
3. Temporarily elevate a user to admin
4. Delete management account again
5. Revert temporarily elevated user back to standard