Jamf pro force check in1/7/2023 The first script we are going to create will be utilized by the policy to set the password to a static, known value. Ok, we’re gonna need a couple of policies and a couple of scripts. It’s pretty simple, we’re just going to look for “Escrowed” as the results of our EA. Now that we have an EA, let’s create a Smart Group to capture the devices that have escrowed their Bootstrap token. TokenStatus=$(profiles status -type bootstraptoken | awk '' | sed 1d) The code for the Extension Attribute is the following: In a normal deployment, the Bootstrap token is created and escrowed when the first user signs into the computer interactively (via the login window or via SSH). We need to insure the token is escrowed before we randomize the password, otherwise we could end up with the first SecureToken user being the admin with a randomized password, and that’s not a good idea. Buffington, and using the screenshot from his GitHub for the presentation, the first thing we need to do is create an Extension Attribute that will capture whether the Bootstrap Token has been escrowed to Jamf Pro or not. We will also create a Self Service method for them to reset the password back to a randomized one.įollowing along with Mr. We’ll also create a script and LaunchDaemon that will run 30 minutes after the password is changed to reset it back to a randomized one. We’re going to build out a Self Service method for our field techs and help desk agents to be able change the password for our hidden management/admin account to a known password (something we perhaps store in a password vault and rotate regularly). If both of those can be accomodated, then it is possible this workflow could be adapted. Can this workflow be adapted for UIE enrolled devices? Probably, but it would require the creation of our admin account along with the escrow of the Bootstrap token. Note: This workflow is for devices that are enrolled via Automated Device Enrollment only. So how do we turn this into a workflow that is real world? Then when you need to use that account for admin duties, you can use a Jamf Pro policy to change the password to a known password, do the needful, and then re-randomize the password. By randomizing the password you prevent the same password from being on all of your devices. Then using policies in Jamf Pro, after the Bootstrap Token has been escrowed to Jamf Pro, you can randomize this account password. The workflow they outlined is to create the PreStage account and the Management Account that is used for User Initiated Enrollment (UIE) with the same password. There’s a better way to handle this with Jamf Connect and just in time provisioning of an admin account, but this workflow is for those that maybe are not using Jamf Connect, yet. You know, times like when you need to install software on a machine, or do some other admin task but don’t have a user account that is admin. One of the workflows that they presented was to utilize the local admin account that is created during a PreStage enrollment as a local admin account for times when you need an admin account. During JNUC 2022 the GOATs, Mark Buffington and Sean Rabbitt, presented “ One Account to P0wn Them All: How to Move Away from a Shared Admin Account”.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |