![]() ![]() The Policy is set to run with an Execution Frequency of “Ongoing”, a trigger of “Reoccuring Check-in”, and scoped to the Smart Computer Group above.A Smart Computer Group is created which utilizes the results of the EA above to dynamically gather all the computers with this Deadpool file stored.An Extension Attribute (EA) is leveraged that looks for the existence of the file created above on scoped devices.The script then runs a jamf recon command to update the computer inventory record. For the purposes of this blog, we’ll refer to this as the “Deadpool” list. Note: The target directory can be changed to another location, such as /private/tmp - or any other you wish to use so long as it contains the list of local short names that need to be deleted.The administrator opens Jamf Self Service and runs a Policy - this runs a script that looks for any account created by Jamf Connect in the last 60 minutes (which can be customized) and drops a touch file into a hidden directory, like /Library/Application Support/JAMF/Receipts.Whatever it is, admin is done, now it’s time to clean up after ourselves as a good admin should. Could be a one-off fix, could be resetting a forgotten local password. What the workflow does:Īn administrator makes a just-in-time account with the Jamf Connect login mechanism. ![]() Now, this is great, but then we run into trouble - we have a user account on a machine that we just needed for five minutes to fix a one-off type of problem, and in two years when we go back to that machine to fix another random one-off problem, now we have a user account where the admin has zero ideas as to what the local user password could be, which represents a splintering of this larger problem for IT. Jamf Connect will read an attribute from our identity provider (IdP) to determine if a user should be an Administrator or get standard rights.įor our security-conscious Mac Admins out there in the world (which should be all of you, I hope), this means that we can completely eliminate the “one ring to rule them all” type of admin accounts deployed to the fleet, usually stuck with some “secret” password that everyone in the company ends up knowing eventually. One of the great features of Jamf Connect is the ability to make a user account on demand simply by logging into the Mac. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |