Educause Security Discussion mailing list archives

Re: Need to restrict admin rights in macOS?

From: Phill Moran <phill () ASTRUMU COM>
Date: Wed, 25 Mar 2020 17:58:53 -0700

If you don't have the underlying AD infrastructure, or are looking for a
different path, take a look at Kandji (https://kandji.io).
We provide services into HE integrations with OKTA, Auth0 (for
CAS/SAML/Shibboleth and ADFS) but for our own (100% Mac) policy management
we use Kandji... CIS Level 1 and 2 preconfigs are available and
customization is a breeze... Self enrollment also. Low cost SAS model.
Happy to make an intro if interested.

Cheers,

Phill Moran
CISO, AstrumU Inc.
(206)383-0947
https://astrumu.com

On Wed, Mar 25, 2020, 5:50 PM Ric Getter <ric.getter () pcc edu> wrote:

Thanks!
We're also using Jamf and the group was having some problems elevating
users for one-shot software installs. It seems like they may have figured
it out. Curt, I'm guessing what you're saying is very true. We deal with
the same kind of audits.

Ronald, I think you'll like Jamf. They have a long history with the Mac in
enterprise and their architecture has proven to be manageable for sys
admins who do not. We're using NoMAD (now part of Jamf) for our AD
integration and that has been working well. Translating Windows group
policies into Mac profiles is always a challenge because there aren't that
many 1:1 relationships. We have some people who are getting really good at
it.

Ric

Ric Getter
PCC Media Production/PCC-TV
Portland Community College - Sylvania
971-722-8036


On Wed, Mar 25, 2020 at 9:40 AM Ric Getter <ric.getter () pcc edu> wrote:

Group,
I'd like to get some opinions on the need to restrict Mac users on the
college staff (instructors, admin assistants, etc.) from having Admin
rights, considerign all the current built-in protections in the macOS
(System Integrity Protection, Gatekeeper, etc.).

Disclaimer:, I am not a security pro, though I have had a fair amount of
coursework in the field. My primary unofficial role here is as the
resident, elder Mac guru (a gray-hair who has been using them since '84).
I'm still involved with the group here responsible for district Mac
management who no longer have hands-on access to endpoint systems. I am
usually just a lurker here who likes to keep in touch with what's going on
in the higher-ed InfoSec world.

Thanks,
Ric

Ric Getter
PCC Media Production/PCC-TV
Portland Community College - Sylvania
971-722-8036

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Need to restrict admin rights in macOS? Ric Getter (Mar 25)
- Re: [BULK] [SECURITY] Need to restrict admin rights in macOS? Curt Kappenman (Mar 25)
- Re: Need to restrict admin rights in macOS? King, Ronald A. (Mar 25)
- Re: Need to restrict admin rights in macOS? Mercy Lopez (Mar 25)
- <Possible follow-ups>
- Re: Need to restrict admin rights in macOS? Ric Getter (Mar 25)
  - Re: Need to restrict admin rights in macOS? Phill Moran (Mar 25)
  - Re: Need to restrict admin rights in macOS? Clark Gaylord (Mar 25)
  - Re: Need to restrict admin rights in macOS? King, Ronald A. (Mar 26)