- Jamf Nation Community
- Products
- Jamf Pro
- Re: Setting up PSSOe(ntra) - removing admin
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-19-2025 08:40 AM
We're testing Platform SSO with Entra, we can get the Intune machine to login & create new accounts, but it seems to be removing admin rights on the accounts if they were previously enabled (like our local admin account). I recall jamf mentioned something about this being a potential issue - but I haven't found much on how to change the behavior. Does anybody have any recommendations?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2025 08:04 AM
the group is an AD group, it's not a user group on the machine. the com.jamf.connect.login domain has a key entitled OIDCAdmin and that key contains the AD group which contains all the AD accounts which should be promoted to admin on login or creation. if the account isn't in that group, they are always demoted; gives you a certain place to manage things, an advantage,
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-19-2025 09:33 AM
My current employer is using Jamf Connect for SSO, looking briefly at its config, we were able to set a group that it would pull from extra and if the account was in that group, it would be admin, if it were not; the account is demoted to standard user, even if it were admin prior. Unsure if PSSO has a similar feature, but hopefully it would. I'll be watching this three closely; I've always been curious about PSSO
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2025 07:28 AM
is the group an AD group or a group on the machine? Like, do I need to create a group on Entra for mac admins. THus far, we've been handling admin access via a script on the machine that elevate to admin for an hour and then removes itself from admin. Probably similar to the Privleges.app mentioned below, but using a couple python scripts.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2025 08:04 AM
the group is an AD group, it's not a user group on the machine. the com.jamf.connect.login domain has a key entitled OIDCAdmin and that key contains the AD group which contains all the AD accounts which should be promoted to admin on login or creation. if the account isn't in that group, they are always demoted; gives you a certain place to manage things, an advantage,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-29-2025 07:00 AM
Thank you for the info. Follow up- what about local admin accounts? do we just do away with them since they will be reverted to standard accounts?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2025 01:00 PM
I believe this is expected behavior when using Entra.
Note: The Groups option is not supported by Microsoft Entra ID at this time.
If you haven't, I would strongly recommend testing out the macOS Privileges application.
