Educause Security Discussion mailing list archives
Re: [BULK] Re: [SECURITY] Need to restrict admin rights in macOS?
From: Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU>
Date: Thu, 26 Mar 2020 14:17:54 +0000
Ric, Have the look into MakeMeAnAdmin. (https://github.com/jamf/MakeMeAnAdmin). This is a script made by a JAMF admin. You can change the time given for a user to be an admin. It will also copy the logs to a separate location ion the users machine for the time period assigned so that you can go back and review what took place while the user had admin privilege. I have create a script for 30 minutes and 60 minutes. I assign them based upon need and who the user is. Curt From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "King, Ronald A." <raking () NSU EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, March 26, 2020 at 8:32 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [BULK] Re: [SECURITY] Need to restrict admin rights in macOS? Thanks, Ric. Ronald King Director of Technical Services and OIT Security Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.nsu.edu%2f&c=E,1,NehJKgIHw5m1JJMlo49SMedyMlhRKn4wAYgBmE6Ngc0iOEGjsHNM4puqBFfCjm_49k9IKYaEebgaZ_RVZir8e6N44sXY7u4La1O8OFmoMSJmXjBzNnOt&typo=1> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ric Getter Sent: Wednesday, March 25, 2020 8:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Need to restrict admin rights in macOS? CAUTION: This email originated from OUTSIDE of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe! Thanks! We're also using Jamf and the group was having some problems elevating users for one-shot software installs. It seems like they may have figured it out. Curt, I'm guessing what you're saying is very true. We deal with the same kind of audits. Ronald, I think you'll like Jamf. They have a long history with the Mac in enterprise and their architecture has proven to be manageable for sys admins who do not. We're using NoMAD (now part of Jamf) for our AD integration and that has been working well. Translating Windows group policies into Mac profiles is always a challenge because there aren't that many 1:1 relationships. We have some people who are getting really good at it. Ric Ric Getter PCC Media Production/PCC-TV Portland Community College - Sylvania 971-722-8036 On Wed, Mar 25, 2020 at 9:40 AM Ric Getter <ric.getter () pcc edu<mailto:ric.getter () pcc edu>> wrote: Group, I'd like to get some opinions on the need to restrict Mac users on the college staff (instructors, admin assistants, etc.) from having Admin rights, considerign all the current built-in protections in the macOS (System Integrity Protection, Gatekeeper, etc.). Disclaimer:, I am not a security pro, though I have had a fair amount of coursework in the field. My primary unofficial role here is as the resident, elder Mac guru (a gray-hair who has been using them since '84). I'm still involved with the group here responsible for district Mac management who no longer have hands-on access to endpoint systems. I am usually just a lurker here who likes to keep in touch with what's going on in the higher-ed InfoSec world. Thanks, Ric Ric Getter PCC Media Production/PCC-TV Portland Community College - Sylvania 971-722-8036 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,8HqhCccdPnNX3TjukI5Ko1EzaQBW-Ik-gts4COyx4L6bIj8Wplo1TyM03TgyDiu3PR34-woJpF60hZon_cfn9MkVV1hXDJY5VSIuUv6P&typo=1> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,erukRfrBBF0I7VKDyCzvhhZ93IuOpQgxQms6IlniF72IhoDRC1DFElHuWlyJ6EjzaUBhaXI-0GB_s2QUPIIkBFd3Bp5Z_QQbwLWesf7kn4mtt88m7jPcqDYkxA,,&typo=1> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: [BULK] Re: [SECURITY] Need to restrict admin rights in macOS? Curt Kappenman (Mar 26)