I just don't really know where to check for these things. To me, it comes off as a credentials issue where maybe new and old credentials are conflicting. Have tried disabling and enabling ARD via Terminal. Have also tried turning SSH off and on via Terminal. I've tried using the GUI to turn things off and on again. It reports back "SSH is not enabled on the remote computer.", even though the SSH column in Jamf Remote is reporting Yes and the machine's GUI confirms this. However, now, I cannot access any of the machines via Jamf Remote. Ran it on the machines and they all updated the management account seemingly correctly. To do this, we created a new QuickAdd via Recon. Policy seemed to get confused by local and management account having the same name and would fail most of the time. We had discovered issues when trying to reset the local admin acct password via policy. In my environment, we wanted to change the management account to be different than the local admin account already on the computer. I'm unfamiliar with the ins and outs of SSH access. You may choose not to " create" the management account on the Mac (but nonetheless you must " define" it)Įverything is clear now - we will define the management account but no longer create it.Reviving this thread in hopes for some assistance with why my SSH access is breaking when management account is changed and how I might be able to go about troubleshooting.You have to " define" the management account (username/random password).Taking a step back, and considering the input from you guys, it actually means. The Jamf documentation was confusing me - it says the management account is optional, yet mandatory for the Mac to be 'managed' by Jamf. I'm convinced now, from all your replies, that the management account doesn't need to be created at all. (I left out some of these details in my original post, which is definitely confusing, my bad!) While we are still creating the 'management account'. Subsequently, we stopped creating the 'managed' account entirely. (so in our case, the 2 accounts are 1 and the same) When we first rolled out Jamf, we basically gave the 'managed' account and the 'management account' the same username and password (which is then rotated via policy thereafter). I'm fairly aware that the 'managed' account created during PreStage, is different from the actual 'management account'. Having and using these accounts always felt so messy and old-fashioned to me, and these days are just more trouble than they're worth.Įveryone, thank you for the insights! They were helpful! Need to elevate during a remote session? Sign into your LDAP/SSO account in Self Service and click a scoped to you Policy to elevate to admin, do your thing, and demote when you're done. Someone forgets their FV password? Here's your escrowed recovery key. You have an admin account already, it's called the jamf binary, bootstrap token, and the MDM framework. The value of an "IT Admin" account on macOS is in my opinion almost nil. If this account has the same name as the account you specify in your prestage, that account will never get a SecureToken, and thus, your "in case of emergency, use this local admin account to unlock FileVault, or also kick off a scripted softwareupdate to upgrade macOS with hard coded credentials" will not work for such purposes. There are two things the mangement account is used for:Įnabled FileVault User in a Disk Encryption Configuration (not compatible with anything since 10.17, DEC and enablement of FV using a Policy still work just fine, but only for the Current or Next User). You must specify details about the username and password, but leave the box to create the management account unchecked. You should not create management accounts in UiE. Specify the account info, set a random password, but leave the Create Management Account option unchecked. In fact, you can break enrollments if you don't handle that account correctly. To actually answer your question, the account is not needed unless you require the workflows specified in the documentation. It is important to note that the management account specified in the UIE settings is for any enrollmentsĪccount to be used for managing computers enrolled via a PreStage enrollment or user-initiated enrollment The account in the prestage is a "managed" admin account, not the jamf management account. The management account is only specified in the UIE settings.
0 Comments
Leave a Reply. |