Manage administrator accounts

Administrator account management in Primo allows for the creation of default administrator accounts across devices, enabling global or specific configurations while maintaining existing user rights, with additional features for managing user privileges coming soon.

2 min read

Introduction

Administrator account management in Primo allows you to create default administrator accounts (sessions) on your fleet's devices.

Once activated, this feature enables you to create administrator accounts globally or granularly across your entire fleet, based on your teams and your profiles.

In practical terms:

➡️ An administrator session is created on the computer with the chosen name

➡️ The password is stored in the panel of the affected devices

➡️ Existing users' rights are not modified

Coming soon: the ability to reduce user privileges and facilitate privilege escalation (granting temporary administrator access).

Feature Details

Initial setup:

Policy implementation:

  1. Activate this feature
  1. Define the username (session name) for the account to be created
  1. Set the account password
    1. use a random password* (1)
    1. use a fixed password* (2)

*(1) Random password: passwords are stored in each device's panel (Equipment > Devices > Panel of each device).

*(2) Fixed password: the password is stored in the setting modal (Profiles > Relevant profile > Administrator account management)

Policy modification:

Once activated on a Profile, the policy can no longer be modified. To modify it, you must deactivate it and then reactivate it.

Deactivating the policy stops enforcing the functionality on the affected machines, but does not remove it. The Primo admin account and its password remain stored in Primo.

Special Cases

Removing administrator access on a device with an active secure token

SecureToken is a macOS-specific feature that acts as an access key. It allows a user account to activate and manage critical security functions, such as FileVault encryption. Currently, it is not possible to remove administrator rights from an account if it is the only one with a SecureToken on the device. We are working to improve this management to allow the transfer of the SecureToken to another account, particularly the one administered via Primo.

Cases of devices targeted by multiple administrator account management policies

Policy duplications may occur if you activate the policy on a global profile and on a "specific" profile. In this case, Primo does not manage the conflict: the MDM attempts to create the requested user by only checking that the account name is not identical.

Related articles
Did this answer your question?

    Step into the future of IT