Home > Casper, Jamf Pro, Mac administration, macOS > Creating Jamf Pro QuickAdd installer packages which do not install the Jamf Pro management user account

Creating Jamf Pro QuickAdd installer packages which do not install the Jamf Pro management user account

Jamf Pro-managed Macs usually have a management account on the Mac, which is normally created as part of the Mac’s enrollment in the Jamf Pro service. This may cause issues in some Mac environments, where the creation of local user accounts is tightly controlled to help minimize opportunities for malicious third parties to compromise unused accounts.

To help protect against the Jamf Pro management account being compromised, Jamf has added some protections. These protections include including the ability to set a random password for the account on a per-machine basis and the ability to rotate the password on a regular basis.

Screen Shot 2017 05 26 at 9 06 02 PM

Depending on your needs though, it is also possible avoid setting up the Jamf Pro management account on Macs. The reason for this is that the Jamf Pro agent by and large does not need the Jamf Pro management account in order to work properly.

As of Jamf Pro 9.99.0, the Jamf Pro management account is used for the following:

If you are not using Jamf’s Remote application for remote screen sharing, or enabling the Jamf Pro management account for FileVault 2, it is not necessary to install the Jamf Pro management account on Jamf Pro-managed Macs at all. For more details, see below the jump.

The usual method of enrolling a Mac into Jamf Pro uses a QuickAdd installer package, generated by Jamf’s Recon application or via user-initiated enrollment.

Here’s how you can configure Recon to generate a QuickAdd package that does not install the Jamf Pro management account:

1. Launch Recon
2. Select QuickAdd Package
3. Specify the name of the management account you want to use

Screen Shot 2017 05 26 at 8 43 29 PM

4. In the Method for Setting Password: drop-down menu, select Randomly generate password.

This will cause two things to happen in the Recon interface.

A. The Create management account if it does not exist option will be enabled

Screen Shot 2017 05 26 at 8 43 54 PM

B. The Create… button in the lower-right corner will go from grayed-out to active.

Screen Shot 2017 05 26 at 8 43 55 PM

5. Uncheck the Create management account if it does not exist option

This will cause the In the Method for Setting Password: drop-down menu to display Specify password… , but the Create… button in the lower-right corner will remain active.

Screen Shot 2017 05 26 at 8 44 08 PM

6. Set any other desired options.

7. Click the Create… button

Screen Shot 2017 05 26 at 8 45 46 PM

The Recon application will generate a QuickAdd package that will enroll the Mac in the appropriate Jamf Pro server, but the newly-created QuickAdd will not create the Jamf Pro management account on the Mac as part of the installation process.

Screen Shot 2017 05 26 at 9 41 59 PM

Screen Shot 2017 05 26 at 9 28 18 PM

Screen Shot 2017 05 26 at 9 28 43 PM

Note: The computer will still appear in the Jamf Pro server’s inventory as a managed computer with the management account listed.

Screen Shot 2017 05 26 at 9 30 04 PM

The same method can used with user-initiated enrollment. To set the QuickAdd packages generated by the user-initiated enrollment process to not create the management user account, use the following procedure:

1. Log into your Jamf Pro server.
2. Go to Management Settings: Global Management and select User-Initiated Enrollment

Screen Shot 2017 05 26 at 8 51 53 PM

3. Under Platforms: macOS, uncheck the Create management account setting.

Screen Shot 2017 05 26 at 8 51 20 PM

Note: There is no need to change the Method for Setting Password or Password Length settings.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: