![]() Jamf Pro currently has a partial implementation of the “managed administrator account” as part of macOS PreStage Enrollment, however there currently is no ongoing “stateful” management of the account. The next low hanging fruit in both Apple and Jamf Pro’s evolution, around local macOS account management, is the macOS local administrator account.Īpple have recently clearly defined the future role of the “managed administrator account” that the MDM framework can remotely manage: ![]() Jamf Pro has been a fantastic tool for running policy and agent/binary based to fill in the gaps for where MDM framework initially didn’t existing, and then subsequent in its short comings. Over the years as Jamf Pro and macOS have evolved, from pre-MDM framework, including the Casper Suite days, to the more recent evolutions of FileVault and SecureToken, Apple is investing more and more into “non-agent” frameworks to build on the Success of an MDM first approach in iOS. This will work for a few more weeks at least until Apple decides to nerf kickstart.The tale of the macOS MDM Managed Local Administrator Account vs Jamf Management Account System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -restart -agent -menu System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -allowAccessFor -specifiedUsers -privs -all System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -configure -users 'jamfadminaccount' -access -on -privs -all System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk / -activate -configure -clientopts -setmenuextra -menuextra yes So if you're doing this via a Quick Add package (which is essentially an enrollment) you could set up a policy to kick off your remote access upon enrollment complete with kickstart. I'm out of ideas and don't want to re-image 100+ machines just to separate the management account from the local admin account. I've also tried editing the GroupMembership. I've tried to wipe the /.ssh/known_hosts file. I just don't really know where to check for these things. To me, it comes off as a credentials issue where maybe new and old credentials are conflicting. Have tried disabling and enabling ARD via Terminal. Have also tried turning SSH off and on via Terminal. I've tried using the GUI to turn things off and on again. It reports back "SSH is not enabled on the remote computer.", even though the SSH column in Jamf Remote is reporting Yes and the machine's GUI confirms this. However, now, I cannot access any of the machines via Jamf Remote. ![]() Ran it on the machines and they all updated the management account seemingly correctly. ![]() To do this, we created a new QuickAdd via Recon. Policy seemed to get confused by local and management account having the same name and would fail most of the time. ![]() We had discovered issues when trying to reset the local admin acct password via policy. In my environment, we wanted to change the management account to be different than the local admin account already on the computer. I'm unfamiliar with the ins and outs of SSH access. Reviving this thread in hopes for some assistance with why my SSH access is breaking when management account is changed and how I might be able to go about troubleshooting. ![]()
0 Comments
Leave a Reply. |