- Hello All,
I am curious to know how other users are going about rolling out EPM to Mac OS users who are currently admins. As an example, lets say we roll it out to 100 users with Quick start policy. Suddenly 10+ users want to install HomeBrew . I can tell them just input your password “n” number of times for now , while I work with Mac Sysadmin team to distribute the script via JAMF (not sure if they would want to have QA team test it which will add another couple weeks to it). How other EPM admins are managing it ? What if it happens with multiple new applications around same time - 5 different apps and 50+ users want it installed, like right now.
Couple of things I am doing:
- Get inventory of all apps across the devices that will get EPM and make sure these apps will work smoothly
- Looks for KBs to tweak the policy
- Thinking of starting with discovery mode/monitoring - this will cover existing apps/settings etc that need elevated rights - thinking of 30-60 days - and then move to enforcing mode.
EPM - Mac : Rollout : How do you handle new apps e.g. Homebrew that require Policy Changes
There is a KB for Homebrew that can help you with this. Then also note that your Dev user on Mac will have to be a member of the _developers Groups the local hidden group on Mac.
Hi
I am trying to gather inputs from other users on how they handle similar issues/requests as it can be overwhelming if multiple apps & users are affected at once
The steps that you mention are correct and the right way to accomplish this. You will find on the Mac side that a bit of End-user education is needed as the normal behavior has changed a bit.
Typically I would run a Pilot phase to ensure that we capture all these uses cases and softwares that we could run into issues with, before a mass deployment.
Then you will find a need for more Profiles for Meeting apps, Helpdesk tools etc. as a user under policy should not have access to change those System settings → Privacy & Security as they can remove access for other apps including security apps and change file and disk access. Typically you can find a mdm profiles from the vendors or having to create custom in JAMF and have them preloaded to the client.
Just in time Admin will work for Mac according to PM Cloud 24.7 Release Notes
a pretty sweet new feature coming.
This type of policy can be handy in case of troubleshooting as well . Give them temp admin rights and just capture the logs. I see there is log capture tool as well as JIT admin rights but it involves more efforts & time . It can be long term fix but looking for immediate workaround
The High Flexibility workstyles for both Mac and Windows are designed to give an almost 1:1 Admin experience on Windows and Mac, though a with a few changes on Windows, and for Mac policy are needed. Note: developers on Mac will have a need to be a member of the _developers Groups or they can’t do debugging, Group membership can be done with JAMF or other MDM tool else it is manual.
Windows Discovery is a legacy template that was used for discovering what administrators did on Windows, it has not really been managed for the last few years, Discovery does not exist for Mac.
So High Flexibility your new discovery, ifwill show you what they use Admin rights for, and you will have accomplished the main goal of also removing admin rights.
Developers will always be the most complicated staff to get on-boarded, work with a good willing person from the Dev team to align expectation and requirements, and see if you can get them even lower than High Flex. likely my best advice.
Then PM Cloud 24.7 Release notes does state they will provide a JIT for Admin rights. Granting users temp Admin rights on the computers for both Windows and Mac for X amount of time, while still auditing what is done with this temp access.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.