Jamf Pro User Accounts and Groups

Jamf Pro is a multi-user application. Jamf Pro user accounts and groups allow you to grant different privileges and levels of access to each user.

When configuring a Jamf Pro user account or group, you can grant access to the full Jamf Pro or to a specific site. You can grant privileges by choosing one of the following privilege sets:

  • Administrator

    Grants all privileges.

  • Auditor

    Grants all read privileges.

  • Enrollment Only

    Grants all privileges required to enroll computers and mobile devices.

    Note:

    This includes privileges to do the following:

    • Log in to the Jamf Pro interface

    • Read, create, and delete enrollment invitations

    • Read and delete computer and mobile device records via the Jamf Pro API

  • Custom

    Requires you to grant privileges manually. For a Custom user account or group to have access to a particular function, privileges may need to be granted for multiple objects. For example, to create a mobile device configuration profile, the user needs privileges for both “Mobile Devices” and “Mobile Device Configuration Profiles”.

If there are multiple users that should have the same access level and privileges, you can create a group with the desired access level and privileges and add accounts to it. Members of a group inherit the access level and privileges from the group. Adding an account to multiple groups allows you to grant a user access to multiple sites.

There are two ways to create Jamf Pro user accounts and groups: you can create standard accounts or groups, or you can add them from an LDAP directory service.

Important:

Jamf recommends that you have at least one account that is not from an LDAP directory service in case the connection between the Jamf Pro server and the LDAP server is interrupted.

The Jamf Pro User Accounts and Groups settings also allow you to do the following:

  • Configure account preferences for each Jamf Pro user account.

  • Configure the password settings in the Password Policy for all standard Jamf Pro user accounts.

  • Unlock a Jamf Pro user account that is locked.

Important:

Jamf recommends that you create multiple accounts with administrator privileges. This is because each Jamf Pro instance has its own authentication authority, and multiple administrator accounts will allow an administrator to easily log back into an account should the password for one account be lost.

Creating a Jamf Pro User Group

Requirements

To add accounts or groups from an LDAP directory service, you need an LDAP server set up in Jamf Pro.

For more information, see LDAP Directory Service Integration.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click Jamf Pro User Accounts & Groups .
  3. Click New .
  4. Do one of the following:
    • To create a standard Jamf Pro user group, select Create Standard Group and click Next.

    • To add a Jamf Pro user group from an LDAP directory service, select Add LDAP Group and click Next. Then follow the onscreen instructions to search for and add the group.

  5. Use the Group pane to configure basic settings for the group.
  6. If you chose Custom from the Privilege Set pop-up menu, click the Privileges tab and select the checkbox for each privilege that you want to grant the group.
  7. Click Save .

Creating a Jamf Pro User Account

Requirements

To add accounts or groups from an LDAP directory service, you need an LDAP server set up in Jamf Pro.

For more information, see LDAP Directory Service Integration.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click Jamf Pro User Accounts & Groups .
  3. Click New .
  4. Do one of the following:
    • To create a standard Jamf Pro user account, select Create Standard Account and click Next.

    • To add a Jamf Pro user account from an LDAP directory service, select Add LDAP Account and click Next. Then follow the onscreen instructions to search for and add the account.

  5. On the Account pane, enter information about the account as needed.
  6. Choose an access level from the Access Level pop-up menu:
    • To grant full access to Jamf Pro, choose Full Access.

    • To grant access to a site, choose Site Access.

      Note:

      The Site Access option is only displayed if there are sites in Jamf Pro.

    • To add the account to a standard group, choose Group Access.

      Note:

      The Group Access option is only displayed if there are standard groups in Jamf Pro.

  7. Do one of the following:
    • If you granted the account full access or site access, choose a privilege set from the Privilege Set pop-up menu. Then, if you chose Custom, click the Privileges tab and select the checkbox for each privilege that you want to grant the account.

    • If you added the account to a group, click the Group Membership tab and select the group or groups you want to add the account to.

  8. Click Save .

Configuring Account Preferences

You can configure language & region, search, and interface preferences for each Jamf Pro user account. Language & region preferences allow you to configure settings such as date format and time zone. Search preferences allow you to configure settings for computer, mobile device, and user searches. Interface preferences allow you to configure whether or not Jamf Pro alerts you when navigating away from unsaved changes.

  1. Log in to Jamf Pro.
  2. At the top of the page, click the account settings icon and then click Account Preferences.
  3. Click the Language & Region tab and use the pop-up menus to configure language and region preferences.
  4. Click the Search Preferences tab and use the pop-up menus to configure search preferences.
    Note:

    The default search preference is Exact Match. For most items, the option can be changed to either Starts with or Contains.

  5. Click the Interface Preferences tab and use the checkbox to configure the unsaved changes alert preference.
  6. Click Save .

Configuring the Password Policy

The Password Policy in Jamf Pro allows you to configure the password settings. The Password Policy applies to all standard Jamf Pro user accounts.

Note:

All new Jamf Pro instances are configured with a ten-character minimum password policy for the first administrator account. This criterion is displayed on the Create Account page in the Jamf Pro Setup Assistant.

You can configure the following password settings:

  • Number of login attempts allowed before a Jamf Pro user is locked out of the account

  • Password length and age

  • Password reuse limitations

  • Password complexity

  • Settings to allow a user to unlock their own account

Note:

Password Policy applies only to local user accounts created within Jamf Pro User Accounts & Groups. It does not affect accounts authenticated against external directory services connected through single sign-on, LDAP servers, or cloud identity providers.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click Jamf Pro User Accounts & Groups .
  3. Click Password Policy.
  4. Click Edit .
  5. Use the settings on the pane to specify the password settings.
  6. Click Save .
  7. When prompted, choose to save your changes or save and force a password reset for all user accounts in your instance the next time the user logs in. This will also force a password reset for the admin configuring the password policy.

The settings are applied immediately.

Unlocking a Jamf Pro User Account

A Jamf Pro user could be locked out of their account if they exceed the specified number of allowed login attempts. If the Password Policy is configured to allow the user to unlock their account, the user can reset their password to unlock their account. In this case, an email is immediately sent to the email address associated with the account in Jamf Pro allowing the user to unlock their account by resetting their password. In addition, a Jamf Pro user account that is locked can be manually unlocked from Jamf Pro by another Jamf Pro user with the Administrator privilege set.

The access status of the account is displayed as “Disabled” in Jamf Pro until the account is unlocked.

Requirements

For a password reset email to be sent to locked accounts, an SMTP server must be set up in Jamf Pro. For more information, see SMTP Server Integration.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the System Settings section, click Jamf Pro User Accounts & Groups .
  3. Click the Jamf Pro user account that has an access status of “Disabled”, which means the account is locked.
  4. Click Edit .
  5. Choose Enabled from the Access Status pop-up menu to unlock the account.
  6. Click Save .

The Jamf Pro user account is unlocked immediately.