Introduction
Managing administrator accounts in Primo allows you to create default administrator accounts (sessions) on the devices in your fleet.
Once enabled, this feature allows you to create administrator accounts globally or granularly across your entire fleet, depending on your teams and your profiles.
Concretely:
➡️ An administrator session is created on the computer with the chosen name
➡️ The password is stored in the panel of the devices concerned
➡️ Existing user rights are not changed
Feature Detail
Initial scenario:
Implementation of the policy:
- Enable this feature
- Set the username (session name) for the account to be created
- Set the account password
- use a random password* (1)
- use a fixed password* (2)
*(1) Random password: Passwords are stored in the panel of each device (Equipment > Devices > Panel of each device).
*(2) Fixed password: the password is stored in the setting modal (Profiles > Relevant profile > Administrator account management)
Policy Change:
Disabling the policy stops forcing it to work on affected machines, but does not delete it. The Primo admin account and its password remain stored in Primo.
Special cases
Remove administrator access on a device with the secure token active
SecureToken is a macOS feature that acts like an access key. It allows a user account to enable and manage critical security features, such as FileVault encryption. Currently, it is not possible to remove administrator rights from an account if that account is the only one with a SecureToken on the device. We are working to improve this management to allow the SecureToken to be transferred to another account, including one administered via Primo.
Cases of devices targeted by multiple administrator account management policies
Duplicate policies can occur if you enable the policy on a global profile and a "specific" profile. In this case, Primo does not handle the conflict: the MDM attempts to create the requested user by checking only that the account name is not identical.