Jamf Nation Community

mog · ‎08-18-2017

This is maybe a basic question, but conceptually I'd like to know where best to begin.

Currently to manage users we have JAMF policies that push two admin accounts - one used by us [I.T.] , and one used by department heads.

We setup our end users with a standard account with their name and user [firstinitial][lastname]

The most common issue we run into is that there is a good amount of turnover and staff. For example: We will setup a computer for Jane Smith [jsmith] (standard accoun) and then Jane will leave, and now Scott Thomas needs the machine.

1.) A department head will contact us saying they need the user switched from Jane to Scott. The department head will login with their admin user, 2.) We [I.T.} will start a remote session with them on the machine 3.) We delete "jsmith" and create "sthomas" 4.) Log out of machine 5.)[occasionally] we'll have to log back in to the new user and delete the hidden "keychains" folder in order to prevent keychain errors for this new account. Because we have to be logged in as the new user for this to work, this requires us to start another remote session with the user providing a password to us for a second time.

Needless to say, this is not a simple or easy process. What are the potential solutions (if there are any) to solving this problem? We don't need enterprise grade security or features, but I'd love to be able to do what we do in a AD PC environment...all we do is create a new active directory user for them to sign in with, disable the old user and they are good to go - so much easier!

So what is a way to accomplish this, and what are the benefits and drawbacks of each of these methods?
1.) Active Directory integration?
2.) LDAP integration?
3.) JumpCloud? (just heard about this)

4.) -- there is no good way of doing this?

Thanks for any advice!

tuinte · ‎08-18-2017

We [I.T.} will start a remote session with them on the machine

Where are these Macs? You should be able to remote onto them and do the account creation/deletion without intervention from a department head, no?

Regardless:

Are these user accounts currently AD mobile accounts? Are the machines bound? If so, you just need to give credentials to the new user and they can log in. You can use Casper Remote to quickly delete/archive the old user's account. If they're not AD mobile accounts and the machines aren't bound, it's not difficult to set up an AD profile in the JSS to push out.

jared_f · ‎08-19-2017

I really like JumpCloud. I used the API for authentication for one of our websites and I also use it to install user accounts on the computer. +1 for Jumpcloud

ega · ‎08-31-2017

Really two different things here: 1) how to manage local accounts and 2) what are the advantages of using a directory service for login.
1) A jamf policy can at the same time a) delete a named account, b) create a new named account and c) if needed change the password on an existing named account. Also Jamf Nation is full of fixes for the various keychain issues which might also be applied with same policy.

2) Moving to any of the directories you mention simply trades one set of issues for another and possibly bring on the extra workload of maintaining a directory service and it's data as @tuinte points out. If you already have a correctly and completely populated directory then using it might have some advantages like anyone could then use any machine to login if there is a network connection (tho that also might be a security issue for you). That said, if you have nothing, I will also give +1 to JumpCloud. If you are looking to increase security JumpCloud is the only service I know if that supports 2-factor authentication at the macOS loginwindow.

Jamf Nation Community

Managing users - Active Directory? LDAP? JumpCloud? nothing at all?