Jamf Pro User Accounts and Groups

Jamf Pro is a multi-user application. Jamf Pro user accounts and groups allow you to grant different privileges and levels of access to each user.

When configuring a Jamf Pro user account or group, you can grant access to the full Jamf Pro or to a specific site. You can grant privileges by choosing one of the following privilege sets:

  • Administrator—Grants all privileges.

  • Auditor—Grants all read privileges.

  • Enrollment Only—Grants all privileges required to enroll computers and mobile devices.

    Note: This includes privileges to do the following:

    • Log in to the Jamf Pro interface

    • Read, create, and delete enrollment invitations

    • Read and delete computer and mobile device records via the Jamf Pro API

  • Custom—Requires you to grant privileges manually. For a Custom user account or group to have access to a particular function, privileges may need to be granted for multiple objects. For example, to create a mobile device configuration profile, the user needs privileges for both “Mobile Devices” and “Mobile Device Configuration Profiles”.

If there are multiple users that should have the same access level and privileges, you can create a group with the desired access level and privileges and add accounts to it. Members of a group inherit the access level and privileges from the group. Adding an account to multiple groups allows you to grant a user access to multiple sites.

There are two ways to create Jamf Pro user accounts and groups: you can create standard accounts or groups, or you can add them from an LDAP directory service.

Important: It is recommended that you have at least one account that is not from an LDAP directory service in case the connection between the Jamf Pro server and the LDAP server is interrupted.

The Jamf Pro User Accounts and Groups settings also allow you to do the following:

  • Configure account preferences for each Jamf Pro user account.

  • Configure the password settings in the Password Policy for all standard Jamf Pro user accounts.

  • Unlock a Jamf Pro user account that is locked.

Important: It is recommended that you create multiple accounts with administrator privileges. This is because each Jamf Pro instance has its own authentication authority, and multiple administrator accounts will allow an administrator to easily log back into an account should the password for one account be lost.

General Requirements

To add accounts or groups from an LDAP directory service, you need an LDAP server set up in Jamf Pro. For more information, see “Integrating with LDAP Servers” in the Jamf Pro Administrator’s Guide.

Creating a Jamf Pro User Group

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/86836561/Icon_Settings_Hover.png .

  3. Click System Settings.

  4. Click Jamf Pro User Accounts & Groups images/download/thumbnails/86836561/JSS_User_Accounts.png .

  5. Click New images/download/thumbnails/86836561/Icon_New_Button.png .

  6. Do one of the following:

    • To create a standard Jamf Pro user group, select Create Standard Group and click Next.

    • To add a Jamf Pro user group from an LDAP directory service, select Add LDAP Group and click Next. Then follow the onscreen instructions to search for and add the group.

  7. Use the Group pane to configure basic settings for the group.

  8. If you chose “Custom” from the Privilege Set pop-up menu, click the Privileges tab and select the checkbox for each privilege that you want to grant the group.

  9. Click Save images/download/thumbnails/81531754/floppy-disk.png .

Creating a Jamf Pro User Account

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/86836561/Icon_Settings_Hover.png .

  3. Click System Settings.

  4. Click Jamf Pro User Accounts & Groups images/download/thumbnails/86836561/JSS_User_Accounts.png .

  5. Click New images/download/thumbnails/86836561/Icon_New_Button.png .

  6. Do one of the following:

    • To create a standard Jamf Pro user account, select Create Standard Account and click Next.

    • To add a Jamf Pro user account from an LDAP directory service, select Add LDAP Account and click Next. Then follow the onscreen instructions to search for and add the account.

  7. On the Account pane, enter information about the account as needed.

  8. Choose an access level from the Access Level pop-up menu:

    • To grant full access to Jamf Pro, choose “Full Access”.

    • To grant access to a site, choose “Site Access”.

      Note: The “Site Access” option is only displayed if there are sites in Jamf Pro.

    • To add the account to a standard group, choose “Group Access”.

      Note: The “Group Access” option is only displayed if there are standard groups in Jamf Pro.

  9. Do one of the following:

    • If you granted the account full access or site access, choose a privilege set from the Privilege Set pop-up menu. Then, if you chose “Custom”, click the Privileges tab and select the checkbox for each privilege that you want to grant the account.

    • If you added the account to a group, click the Group Membership tab and select the group or groups you want to add the account to.

  10. Click Save images/download/thumbnails/81531754/floppy-disk.png .

Configuring Account Preferences

You can configure language & region, search, and interface preferences for each Jamf Pro user account. Language & region preferences allow you to configure settings such as date format and time zone. Search preferences allow you to configure settings for computer, mobile device, and user searches. Interface preferences allow you to configure whether or not Jamf Pro alerts you when navigating away from unsaved changes.

  1. Log in to Jamf Pro.

  2. At the top of the page, click the account settings images/download/thumbnails/86836561/icon_account_settings.png icon and then click Account Preferences.

  3. Click the Language & Region tab and use the pop-up menus to configure language and region preferences.

  4. Click the Search Preferences tab and use the pop-up menus to configure search preferences.

    Note: The default search preference is “Exact Match”. For most items, the option can be changed to either “Starts with” or “Contains”.

  5. Click the Interface Preferences tab and use the checkbox to configure the unsaved changes alert preference.

  6. Click Save images/download/thumbnails/81531754/floppy-disk.png .

Configuring the Password Policy

The Password Policy in Jamf Pro allows you to configure the password settings. The Password Policy applies to all standard Jamf Pro user accounts. You can configure the following password settings:

  • Number of login attempts allowed before a Jamf Pro user is locked out of the account

  • Password length and age

  • Password reuse limitations

  • Password complexity

  • Settings to allow a user to unlock their own account

Note: The settings configured in the Password Policy do not apply to Jamf Pro user accounts added from an LDAP directory service.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/86836561/Icon_Settings_Hover.png .

  3. Click System Settings.

  4. Click Jamf Pro User Accounts & Groups images/download/thumbnails/86836561/JSS_User_Accounts.png .

  5. Click Password Policy.

  6. Click Edit images/download/thumbnails/81532686/edit.png .

  7. Use the settings on the pane to specify the password settings.

  8. Click Save images/download/thumbnails/81531754/floppy-disk.png .

The settings are applied immediately.

Unlocking a Jamf Pro User Account

A Jamf Pro user could be locked out of their account if they exceed the specified number of allowed login attempts. If the Password Policy is configured to allow the user to unlock their account, the user can reset their password to unlock their account. In this case, an email is immediately sent to the email address associated with the account in Jamf Pro allowing the user to unlock their account by resetting their password. In addition, a Jamf Pro user account that is locked can be manually unlocked from Jamf Pro by another Jamf Pro user with the Administrator privilege set.

The access status of the account is displayed as “Disabled” in Jamf Pro until the account is unlocked.

Requirements

For a password reset email to be sent to locked accounts, an SMTP server must be set up in Jamf Pro. For more information, see Integrating with an SMTP Server.

Procedure

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/86836561/Icon_Settings_Hover.png .

  3. Click System Settings.

  4. Click Jamf Pro User Accounts & Groups images/download/thumbnails/86836561/JSS_User_Accounts.png .
    A list of Jamf Pro user accounts and groups is displayed.

  5. Click the Jamf Pro user account that has an access status of “Disabled”, which means the account is locked.

  6. Click Edit images/download/thumbnails/81532686/edit.png .

  7. Choose “Enabled” from the Access Status pop-up menu to unlock the account.

  8. Click Save images/download/thumbnails/81531754/floppy-disk.png .

The Jamf Pro user account is unlocked immediately.

Related Information

For related information, see the following section in the Jamf Pro Administrator’s Guide:

Sites
Learn about sites and how to add them to Jamf Pro.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.