A World without Local Admin Accounts
DPG Media sets a standard in securing Macs
Written by Peter Loobuyck, Apple System Engineer
At Jamf Nation Amsterdam, we hosted a session about Mac management on stage. Among the topics we discussed, there were a lot of questions about how and why not to use local admin accounts on a managed Mac. So here’s a bit of background on that topic and the new and unique approach to managing Macs.
Safe and secure Mac management worldwide
The world has changed during COVID times. Nearly all of us work at remote locations for multiple days a week. Our devices travel along and pop up at any location anywhere on earth. And also, because of the general availability of the internet, this behavior is now generally accepted.
As Apple admins, we must think about managing Macs and rethink which switches to flip. We have already covered a lot of security policies: our devices are registered in Apple Business Manager, they are managed in a device management server, we implemented security policies based on CIS benchmarks, and we enforce FileVault encryption — just to name a few steps we already have taken to increase the level of management and security. Apple admins need to keep all devices as secure as possible, so next, we decided to rethink those local admin accounts.
No account, no risk
These are accounts on the Macs with a — hopefully — secure password and administrative access onto the device. You may already feel where this is going: “Why would we ever require the need of a generic local admin account which is identical among all devices?” The answer to that question is: that is clearly not a good idea.
Some solutions include tools that generate ‘passwords of the day’. We claim that passwords that are generated by static rules are also static. And once those rules are known, one can reuse those passwords. Even the German Enigma machine was cracked. Hackers just love users with a false sense of working securely. Hence the idea of a device without a local administrator. No lock on the door to crack means no access. There isn’t even a door, no available account.
Access and support
So how can we provide a setup without a local admin? At DPG Media, we manage our Macs with JAMF Pro, and we use JAMF Connect to enforce password complexity for the user account. The combination of Macs with these tools allows us to manage the devices easily. The real question is how to support users and the service desk?
We have a policy set up in Self Service which grants administrative access to the local user until the next check-in of the device to the JAMF instance. So the people from our service desk can grant temporary admin access to those users. This allows the service desk colleagues to help users with tasks requiring elevated rights.
Having only one user logged on to the device also solves other issues, like the first user logging on to a Mac is MDM enabled — allowing an MDM solution like JAMF Pro to manage certain user-specific management settings. If that first created user is the local admin, then that account will be MDM enabled. Which will not allow the users to have their device managed as required. Another issue solved is the secure token which would be granted to the local admin account and not the user (the implementation of encryption keys, when they’re generated and how they’re stored on a Mac are all part of a feature known as secure token)
Anyway, without going too much into technicality, at DPG Media, we deploy our Macs without any local admin account provided since 2020. All users can travel to any location and work with their Macs like before. Rethinking the way we deploy Macs has changed policies not just because the world has changed. Our goal has always been to manage Macs as securely as possible while still allowing them to be as easy to use as Apple designed them.