Management Accounts

When you enroll computers, you must specify a local administrator account called the "management account". This is required for computers to be considered managed by Jamf Pro. However, choosing to create the management account on computers is optional and is only required for some workflows. The management account only needs to be created if you want to perform the following tasks on the computer:

Using a policy to administer the management account allows you to do the following:

  • Screen sharing using Jamf Remote

  • Authentication to initiate an SSH session using Jamf Remote for the computer to check in to Jamf Pro to run policies

  • Enrolling computers with macOS 10.15.7 or earlier using Recon, including creating a QuickAdd.pkg for Jamf binary enrollments

  • Enable FileVault using a policy (when SecureToken is enabled on the management account)

  • Add or remove users from FileVault using a policy (when SecureToken is enabled on the management account)

  • Generate a personal recovery key using a policy (when SecureToken is enabled on the management account)

  • Perform authenticated restarts using a policy (when SecureToken is enabled on the management account)

To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. It is recommended that you choose the Randomly generate passwords option for maximum security. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.

Important:

Jamf does not recommend using a common, known password for the management account or for logging in to computers locally. Additionally, you should not use the management account to log in to computers locally. If you need an account to log in locally to a computer, create a local administrator account for this purpose instead of using the management account. You can create a local administrator account using the following methods:

  • Configuring the Local Accounts payload of a policy (For more information, see Local Accounts.)

  • Configuring the local account in a computer PreStage enrollment (For more information, see Computer PreStage Enrollments.)

  • Creating a script

Administering the Management Account Using a Policy

You can use a policy to administer the management account. This allows you to do the following:
  • Change the account password

    This option changes the management account's password, as well as the account's password and FileVault password. It is recommended that you use this option if the management account's login keychain password matches the account password stored in Jamf Pro.

  • Reset the account password

    This option only changes the management account's password. This option does not change the management account's login keychain password or FileVault password. For computers with macOS 10.14 or later, you must disable the management account SecureToken to reset the password. For more information on SecureToken, see Using SecureToken in Apple's Deployment Reference for Mac.

    Note:

    If the management account's login keychain password does not match the account password stored in Jamf Pro, you must use the Reset Account Password option when administering the management account using a policy or the policy will fail.

  • Enable the user for FileVault
    Note:

    For computers with macOS 10.13 or later, the computer must have a valid personal (also known as "individual") recovery key that matches the recovery key escrowed in Jamf Pro.

  • Disable the user for FileVault
Important:

When configuring the management account password settings, selecting the Randomly generate new password option for maximum security is recommended.

You can change or reset the management account password using a policy. You can also enable or disable the management account for FileVault.
  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
  5. Select the Management Account payload and select an action using the options on the pane.
    Important:

    When configuring the management account password settings, selecting the Randomly generate new password option for maximum security is recommended.

  6. Use the Restart Options payload to configure settings for restarting computers.
  7. Click the Scope tab and configure the scope of the policy.
  8. (Optional) Click the Self Service tab and make the policy available in Self Service.
  9. (Optional) Click the User Interaction tab and configure messaging and deferral options.
  10. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in the General payload.