Managed Mac Computers: Local IT Admin Accounts, Yes or No?
For IT teams deploying Mac computers, the question is: To create local IT admin accounts on those computers or not?
To be clear on what we’re talking about: A local IT admin account is a user account with admin privileges created on a Mac in addition to the primary user account.
There are several reasons IT teams might want to distribute such accounts—but there are also good reasons why they might not. There are also several ways to do so, as well as a couple of alternatives that could obviate the need to deploy such accounts altogether. Let’s walk through each of those decisions.
Pros and Cons of Local Admin Accounts
If you’ve ever spent time in online discussion forums where Apple admins gather, you might know that the question of creating additional local IT admin accounts on macOS computers can generate some surprisingly heated debate. That’s because it’s a really good question without a cut-and-dried answer. Or, rather, the answer is: It depends.
Such admin accounts have traditionally been used by the IT staff to help troubleshoot issues on users' Mac computers. They’re most useful when the IT person and the user are in close physical proximity, so that the admin can get their hands on the user’s computer. The admin can log into such an account to do things like installing software, connecting a printer, and other troubleshooting that requires elevated permissions.
Two other reasons for why you might need an IT admin account on a Mac:
- Some organizations have policies that require an additional local admin account.
- In other orgs, end-user accounts on managed Mac computers may be required to have standard permissions. In those cases, macOS requires that an additional managed administrator account be created via MDM.
However, in the age of MDM and other modern tools, deploying such local accounts may not be as necessary as it once was.
Some admins see deploying another account as a potential security risk. Or they may not see the need for the additional management overhead that comes with deploying yet another admin account. In other environments, IT would rather trust their users more, giving them more ownership over their devices by enabling them to manage them themselves, while IT leverages MDM to perform tasks as needed.
On managed devices, many of the tasks that might have required a local admin account—such as managing and deploying device settings, distributing apps, running maintenance tasks, and even enabling the user to perform tasks on their own through a self-service app can—now be done remotely via MDM with configuration profiles, app deployments, and scripts.
You could save yourself some time by simply giving users admin permissions and then allowing them to perform tasks on their own that might require those privileges. But then you have to decide whether or not you really want to give your users that much control over their devices at all times.
How to Deploy a Local Admin Account
If you do decide that you need local admin accounts on end-user Mac computers, there is more than one way to set them up.
In a pinch, a local admin account can be set up manually by navigating to System Preferences > Users & Groups on a Mac, unlocking the preference pane, and then adding an additional admin user. But while this is an option, it’s definitely not an ideal one—especially in larger environments of more than, say, ten devices. Creating such an account manually isn’t hard. But the effort of maintaining such accounts across a fleet of devices can compound very quickly.
The next option is to use a scripted or packaged solution—such as pycreateuserpkg or macOSLAPS—to create the local admin account. Pycreateuserpkg is an open-source tool that can be used to create a local admin account on macOS and even update the password for existing accounts, as long as the username and group ID for the account match what is being sent in the package. macOSLAPS allows the IT team to define a number of options, including the local admin account name and where to store the passwords. There are several other options that do much the same thing.
Finally, you can leverage an MDM solution to deploy an additional admin account. This is a nice option because it is generally really easy to set up and configure, and the ongoing management of the admin account is centralized.
Alternatives to the Local Admin Account
Some IT teams have decided that they do not really need to access the user device with a separate admin user account. If that's your organization's policy, there are some alternatives that can reach a similar end goal.
One popular option is to use the FileVault Personal Recovery Key (PRK) to access a Mac when necessary. This is a great option because an MDM solution can be used to enable FileVault and then escrow the recovery key once it is generated. That done, admins can use those keys to access the Mac computer when needed.
Another interesting option is a solution like Kandji Passport. Passport is designed to allow the user to log in to their Mac using their identity provider (IdP) credentials. Passport can create the user’s local account as needed and keep their local Mac password in sync with the IdP. But Passport could also be used by IT admins to log in to a user's Mac with their own IdP credentials, without needing to deploy an account beforehand.
This method offers a few benefits. For one thing, users can be limited to a specific group. For another, the IT admin’s account is created just in time. Third, you can know which admins have logged into which Mac, because their usernames are unique and not just generic.
If the choice to deploy an additional admin account comes down to whether or not you want to grant users those permissions and whether or not they need admin rights all the time, there are tools like SAP Privileges that can be deployed to Mac devices.
Once deployed to a Mac, the Privileges app allows the end user to promote themselves to administrators when they need to perform a task that requires admin access. Once the user has completed such a task, they can demote themselves back to a standard account the rest of the time.
(Note that Kandji has extended what Privileges can do, by enabling admins to automatically demote end users after a specific amount of time. This gives the end users the flexibility they need to get their job done while allowing the IT admin to manage how long those admin privileges can be used.)
As we said up top, there’s no clear, one-solution-fits-all answer to the question of whether or not you should create local IT admin accounts on end-user computers. But you can figure out the right answer for your particular situation based on how you plan to manage those computers and the use-cases you plan to support. Those two factors will dictate whether or not you will need to deploy an additional IT admin account or not.
About Kandji
Kandji can help you create local admin accounts—and it can also help you implement the alternatives to them. With powerful and time-saving features such as zero-touch deployment, one-click compliance templates, and plenty more, Kandji has everything you need to bring your Apple fleet into the modern workplace.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.