Management Accounts
When you enroll computers, you must specify a local administrator account called the "management account". This is required for computers to be considered managed by Jamf Pro. However, choosing to create the management account on computers is optional and is only required for some workflows. The management account only needs to be created if you want to perform the following tasks on the computer:
Using a policy to administer the management account allows you to do the following:
Screen sharing using Jamf Remote
Authentication to initiate an SSH session using Jamf Remote for the computer to check in to Jamf Pro to run policies
Enrolling computers with macOS 10.15.7 or earlier using Recon, including creating a QuickAdd.pkg for Jamf binary enrollments
Enable FileVault using a policy (when SecureToken is enabled on the management account)
Add or remove users from FileVault using a policy (when SecureToken is enabled on the management account)
Generate a personal recovery key using a policy (when SecureToken is enabled on the management account)
Perform authenticated restarts using a policy (when SecureToken is enabled on the management account)
To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. It is recommended that you choose the option for maximum security. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.
Jamf does not recommend using a common, known password for the management account or for logging in to computers locally. Additionally, you should not use the management account to log in to computers locally. If you need an account to log in locally to a computer, create a local administrator account for this purpose instead of using the management account. You can create a local administrator account using the following methods:
Configuring the Local Accounts payload of a policy (For more information, see Local Accounts.)
Configuring the local account in a computer PreStage enrollment (For more information, see Computer PreStage Enrollments.)
Creating a script
Administering the Management Account Using a Policy
- Change the account password—
This option changes the management account's password, as well as the account's password and FileVault password. It is recommended that you use this option if the management account's login keychain password matches the account password stored in Jamf Pro.
- Reset the account password—
This option only changes the management account's password. This option does not change the management account's login keychain password or FileVault password. For computers with macOS 10.14 or later, you must disable the management account SecureToken to reset the password. For more information on SecureToken, see Using SecureToken in Apple's Deployment Reference for Mac.
Note:If the management account's login keychain password does not match the account password stored in Jamf Pro, you must use the Reset Account Password option when administering the management account using a policy or the policy will fail.
- Enable the user for FileVault—Note:
For computers with macOS 10.13 or later, the computer must have a valid personal (also known as "individual") recovery key that matches the recovery key escrowed in Jamf Pro.
- Disable the user for FileVault—
When configuring the management account password settings, selecting the option for maximum security is recommended.
- In Jamf Pro, click Computers
at the top of the sidebar. - Click Policies
in the sidebar. - Click New
. - Click Save
.
The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in the General payload.