Skip to main content

I’m working on a solution to onboard a local user account created during the Jamf provisioning of Mac assets to Password Safe Cloud. I have EPM-M installed on the endpoints and they are connected to Password Safe. When I run discovery scans on the endpoints, the local accounts are not discovered. I have looked over the KBs related, and nothing seems to explicitly say “Here is what you need to do” when it comes to local account management. 

To test, I added a test functional account to the local admin group on a test Mac. This is an Active Directory service account, and it fails to login. As far as I can tell, the account needs to actually log into the Mac in order to be locally cached and thus login as a functional account. But having to locally log into each asset is not scalable. Has anyone had success with an AD group being used for your functional account? What am I missing to complete this set up? 

Did you check on this KB https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021143 as it has all the steps required to setup the Endpoint Privilege Management for Mac (EPM-M) as the password rotation agent instead of having to create a functional account for each of the macOS machines

Thanks, Howard. I have looked at this before and just completed the onboarding. Is there any way to do this that doesn’t require a manual step to onboard the account? Can a smart rule be created to create the account. We create a local account on all of our Macs that has a standard name. 

Thanks!

Thanks, Howard. I have looked at this before and just completed the onboarding. Is there any way to do this that doesn’t require a manual step to onboard the account? Can a smart rule be created to create the account. We create a local account on all of our Macs that has a standard name. 

Thanks!

Hey ​@mike.wheeler,  yes there is actually a Managed System smart rule action to ‘Create Managed Account on each system’ for exactly this use-case. 

The password safe component on the endpoint will then act at as the ‘change agent’ on behalf of Password Safe and rotate the credential using the specified schedule. 

Reply


Badge Earners

  • BCIE: Password Safe
    Wesley Cardosohas earned the badge BCIE: Password Safe
  • BCIE: Endpoint Privilege Management - Windows
    Diliphanhas earned the badge BCIE: Endpoint Privilege Management - Windows
  • BCA: Endpoint Privilege Management - Windows
    Sarah Fadelhas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCSE: Identity Security Insights
    Fabien Landaishas earned the badge BCSE: Identity Security Insights
  • BCA: Password Safe
    Andrej Vavrahas earned the badge BCA: Password Safe
Show all badges
Terms & ConditionsCookie settings