Education

Mac Admin Privileges: Controlling Security and Updates with Jamf Pro

Moof IT
08.12.2021
Share

When you set up a new Mac, you’re made the administrator of that machine by default.

That’s great and super-useful if you’re a home user, but if the Mac happens to be a business device, it can cause security and compliance issues – particularly for organisations that don’t have dedicated Mac admin teams (few do – it’s why we exist, after all!).

Big organisations running multiple Macs need their users to be standard users. But non-admin roles can cause issues for workers – particularly in cases where it’s within the business’s interests to give them the ability to install software and tweak their devices.

The good news? We know of a rather smart way to get around this – safely.

The importance of making informed decisions

Let’s assume you’re running a business that has a team of developers using Macs. Every day, they’ll tell you that they desperately need administrator rights to do their jobs properly.

So, you give them those rights and, lo and behold, three months later your Macs are infested with malware and increasingly suffer from poor performance.

This is why, whenever we’re tasked with enabling Mac users to undertake their jobs unhindered without administrator privileges, we start by gathering information from both their machines and their use cases.

What, exactly, do they need to do on that Mac? Is there more than one way to achieve the desired result, and, if so, which one offers the right balance of security and user satisfaction? We can only make informed decisions about admin privileges if we do our homework which is why we always start by asking questions.

Rather than asking the users about their admin usage patterns, we gather the information directly from the devices, noting when admin rights were used, on which device and what it was used for.

The importance of making informed decisions

Collating this information enables us to make additions to the central device management system to remove the need for local admin privileges and to identify more extreme power users that may need a higher level of device access than standard users.

Hey, you may not need admin rights!

As noted earlier, larger companies will often have Mac users who make non-admin user levels rather challenging. This is usually the case with developers, or anyone who needs to install software or plugins that are required for their job.

As you’d guess, they’ll argue that they need admin privileges. No question; it’ll be painted as an absolute necessity.

This almost certainly isn’t the case. But it’s also why we spend a good deal of time gaining buy-in from team members who are convinced that anything other than administrator privileges will be a massive pain for them.

This is where Jamf Pro comes in. We configure it to provide a self-service button for users of this kind which grants them 30 minutes access to undertake their admin-like tasks. Every time they access the self-service feature, their activity is logged, enabling the admin team to see what they did and when they did it. Once the 30 minutes is up, they return to standard user status.

So, why not give them full admin rights instead? The reason is simple. The tasks they need to perform with admin privileges are likely to be few and far between, which makes the Jamf Pro self-service option so sensible. They can get in, do what they need to do, and get out. In an alternative universe where they have full admin privileges permanently, they can – and probably will – inadvertently (or purposefully) do far more damage by installing malicious software, even if that’s never the intention.

Minimising risk (and answering the remaining critics)

For most team members, the Jamf Pro solution will be the perfect balance and address their concerns. But a few may argue that it’s still not enough.

Admin privileges on Macs offer a wealth of access above and beyond anything a normal user can do. The users who are claiming they need that level of access simply won’t need 95% of the functionality on offer; usually, they’ll just need the ability to install tools and updates to do their jobs.

By instead using Jamf Pro, your business will be minimising risk by removing anyone who doesn’t need full administrator access and granting temporary access only to the people who do.

The best news? Jamf Pro can issue these capabilities via a database that checks and installs the updates automatically, so there’s no downtime or heavy lifting required if you want to implement this vital form of Mac security.

If you want to find out more about Jamf Pro or Mac admin privileges, just get in touch with the helpful team at moof IT today.

Related articles

Education

Why Moof IT Use Dropbox

Education

What’s Apple School Manager and How Does It Benefit The Education Sector?

Education

Moof IT Take Part In Movember

Education

Why The M2 Isn’t Better Than The M1 Pro

Education

How The New M2 Chip In The Macbook Air Differs From The Standard M1 And Why You Need To Know

Education

5 Mac Myths – Debunked

Education

What Do The Numbers In macOS Versions Mean?

Education

Introducing MoofPatch from Moof IT – The Effective Way to Push Regular macOS and Software Updates

Education

Apple M1 Ultra is the most Powerful Computer Chip ever

Education

How to Make the Most of Seamless Device Switching on macOS Monterey

Education

Apple’s Hidden Easter Egg

Education

Everything You Need to Know About Administrative Rights

Education

Recent Changes to Apple Configurator

Education

Basic MacOS IT Security

Education

How to Remove Words From Your Mac Dictionary

Education

How Can I Find Passwords That Have Been Stored in the macOS Keychain?

Education

Should You Upgrade to the New macOS Monterey?

Education

MoofPatch from Moof IT – Automatic MacOS and Third-Party Application Patching for Macs

Education

How to Make Sure Your Mac is Secure: Our Top 5 Tips

Education

You Need to Update Your iPhone and Mac ASAP – Here’s Why

Education

Why Prompt Patching is Vital for Cybersecurity

Education

Mac Admin Privileges: Controlling Security and Updates with Jamf Pro

Education

What is Zero Touch Deployment? And Does It Work?

Education

How to Apply an IT Security Policy on Your Macs

Education

What’s So Hot About Hot Corners?

Education

Registering Apple TVs with Apple Business/School Manager

Education

Changes to macOS version comparisons in macOS Big Sur

Education

Case Study – LJMU

Education

Case Study – Manchester Metropolitan University

Education

Case Study – Moorhouse Consulting

Education

Time machine – Back to the future!

Education

How to fix issues with Outlook search in macOS

Education

How to hide your Desktop icons during a presentation

Education

3rd February deadline for Notarization of non Mac App Store apps

Education

To cloud or not to cloud… that is the question

Education

What is credential stuffing and why should you care?

Education

Catalina boot-up issues on some older Macs

Education

Moof advice for upgrading to a new macOS

Education

How does the new 16-inch MacBook Pro compare with its predecessor?

Education

Jamf Pro and patching

Education

Multi-Factor Authentication and why it’s absolutely needed in your business!

Education

MacADUK 2019

Education

Summary of the Apple T2 chip

Education

I’m Spartacus

Education

Meraki, Apple Classroom and ‘Not-shared’ shared iPads

Education

If you’re using DeployStudio to manage your Macs in education… it’s time to move on!

Education

Managing Google Chrome on macOS with a Config Profile

Education

MacAD UK 2018 – Shields up, Captain?

Education

Deploying Autodesk Maya 2018 with Jamf Pro

Education

Is macOS imaging finally dead?

Contact Moof IT to discuss your Mac management needs

Email us 0203 983 4444
  • ISO_27001 logo
  • logo
  • Gcloud logo

Company

Address:
1st Floor, 20 Noel street, London, W1f 8GW
Company Number: 11082827

Social