Jamf Pro User Accounts and Groups
Jamf Pro is a multi-user application. Jamf Pro user accounts and groups allow you to grant different privileges and levels of access to each user.
When configuring a Jamf Pro user account or group, you can grant access to the full Jamf Pro or to a specific site. You can grant privileges by choosing one of the following privilege sets:
- Administrator—
Grants all privileges.
- Auditor—
Grants all read privileges.
- Enrollment Only—
Grants all privileges required to enroll computers and mobile devices.
- Custom—
Requires you to grant privileges manually. For a Custom user account or group to have access to a particular function, privileges may need to be granted for multiple objects. For example, to create a mobile device configuration profile, the user needs privileges for both “Mobile Devices” and “Mobile Device Configuration Profiles”.
If there are multiple users that should have the same access level and privileges, you can create a group with the desired access level and privileges and add accounts to it. Members of a group inherit the access level and privileges from the group. Adding an account to multiple groups allows you to grant a user access to multiple sites.
There are two ways to create Jamf Pro user accounts and groups: you can create standard accounts or groups, or you can add them from an LDAP directory service.
Jamf recommends that you have at least one account that is not from an LDAP directory service in case the connection between the Jamf Pro server and the LDAP server is interrupted.
The Jamf Pro User Accounts and Groups settings also allow you to do the following:
Configure account preferences for each Jamf Pro user account.
Configure the password settings in the Password Policy for all standard Jamf Pro user accounts.
Unlock a Jamf Pro user account that is locked.
Jamf recommends that you create multiple accounts with administrator privileges. This is because each Jamf Pro instance has its own authentication authority, and multiple administrator accounts will allow an administrator to easily log back into an account should the password for one account be lost.
Creating a Jamf Pro User Group
To add accounts or groups from an LDAP directory service, you need an LDAP server set up in Jamf Pro.
For more information, see LDAP Directory Service Integration.
Creating a Jamf Pro User Account
To add accounts or groups from an LDAP directory service, you need an LDAP server set up in Jamf Pro.
For more information, see LDAP Directory Service Integration.
Configuring Account Preferences
You can configure language & region, search, and interface preferences for each Jamf Pro user account. Language & region preferences allow you to configure settings such as date format and time zone. Search preferences allow you to configure settings for computer, mobile device, and user searches. Interface preferences allow you to configure whether or not Jamf Pro alerts you when navigating away from unsaved changes.
Configuring the Password Policy
The Password Policy in Jamf Pro allows you to configure the password settings. The Password Policy applies to all standard Jamf Pro user accounts.
All new Jamf Pro instances are configured with a ten-character minimum password policy for the first administrator account. This criterion is displayed on the Create Account page in the Jamf Pro Setup Assistant.
You can configure the following password settings:
Number of login attempts allowed before a Jamf Pro user is locked out of the account
Password length and age
Password reuse limitations
Password complexity
Settings to allow a user to unlock their own account
The settings configured in the Password Policy do not apply to Jamf Pro user accounts added from an LDAP directory service.
- In Jamf Pro, click Settings
in the top-right corner of the page.
- In the System Settings section, click Jamf Pro User Accounts & Groups
.
- Click Password Policy.
- Click Edit
.
- Use the settings on the pane to specify the password settings.
- Click Save
.
- When prompted, choose to save your changes or save and force a password reset for all user accounts in your instance the next time the user logs in. This will also force a password reset for the admin configuring the password policy.
The settings are applied immediately.
Unlocking a Jamf Pro User Account
A Jamf Pro user could be locked out of their account if they exceed the specified number of allowed login attempts. If the Password Policy is configured to allow the user to unlock their account, the user can reset their password to unlock their account. In this case, an email is immediately sent to the email address associated with the account in Jamf Pro allowing the user to unlock their account by resetting their password. In addition, a Jamf Pro user account that is locked can be manually unlocked from Jamf Pro by another Jamf Pro user with the Administrator privilege set.
The access status of the account is displayed as “Disabled” in Jamf Pro until the account is unlocked.
For a password reset email to be sent to locked accounts, an SMTP server must be set up in Jamf Pro. For more information, see SMTP Server Integration.
- In Jamf Pro, click Settings
in the top-right corner of the page.
- In the System Settings section, click Jamf Pro User Accounts & Groups
.
- Click the Jamf Pro user account that has an access status of “Disabled”, which means the account is locked.
- Click Edit
.
- Choose Access Status pop-up menu to unlock the account. from the
- Click Save
.
The Jamf Pro user account is unlocked immediately.