Help

Admin Account Best Practices

lizmowens
New Contributor III

Posted on ‎03-21-2017 05:56 PM

I need some advice from those who have had much more experience managing a 1:1 laptop program, specifically (for today at least) around managing admin accounts.

I have the primary Local Administrator acct that is tied to the JSS. It is also the account that I use for ARD (was the one I used long before we went 1:1, added JAMF...). Once we went 1:1 I wanted our teachers to use ARD for classroom monitoring, but I didn't want them to have access to other faculty/staff devices, so I created a second admin account, via JAMF, that I pushed out to student devices. Teachers can authenticate with that account using ARD.

So I have 2 admin accounts both visible and I'm wondering if I can/should hide them, especially the one that was just created for teacher access to ARD.

In your opinion, what are the best practices for admin accounts on student devices?

0 Kudos
1 REPLY 1

jrepasky
New Contributor III

Posted on ‎04-24-2017 11:02 AM

My understanding of best practices
-Local admin account (501) used for things that others might end up leveraging (support techs, teachers, etc.) This if only necessary due to environment. If you can sort things out where no one would use a local admin because of self service, not having this account is more secure (but understandably somewhat less practical)
-Local admin (under 500) that is hidden and is specific to JAMF management. This password should be unknown to as many people as possible. It can even be randomized by JAMF Pro so you don't even know it. The only thing that needs to know it is the JAMF Pro system for management of the machine.

0 Kudos