different levels of Administrator?

Joined
Sep 25, 2015
Messages
396
Reaction score
10
My wife got a Mac at work, and she was assigned as "Administrator". The Mac was set up with all manner of security stuff, which is useful at the office, but not appropriate when working at home. She says that she can't diddle with that stuff, and it takes a higher level of Administrator to do that. There are different levels of Administrator? That doesn't sound right to me. Can a Mac be set up in ways that a regular Administrator can't touch? Certainly a security app can have a password, but can't an Administrator just turn off that app entirely? Are there MacOS things that a regular Administrator can't do?
 

Cory Cooper

Moderator
Joined
May 19, 2004
Messages
11,102
Reaction score
492
Hi,

There isn't a higher level user account than an admin. Many companies and schools use a Mobile Device Management (MDM) system to install/configure their own set of software and security measures. Since it is a company-owned device, and/or used on a company network, the security polices they put in place can't be paused/disabled by the employee.

Hope that helps!

C
 
Joined
Sep 25, 2015
Messages
396
Reaction score
10
Well, OK. I'd call that a higher level of Administrator even if not a User account. How does one recognize an MDM on a Mac? Is there anything conspicuous? How is the MDM accessed? Is it by launching a regular application?
 
Joined
Sep 25, 2015
Messages
396
Reaction score
10
OK, I think I figured it out. On this computer, in Users & Groups, my wife is listed as "Admin, Managed, Mobile", and the people who run the show are listed just as "Admin". So, yes, we're evidently looking at MDM here. There are two Administrators, but one is "managed". Thank you!
 

Cory Cooper

Moderator
Joined
May 19, 2004
Messages
11,102
Reaction score
492
Hi,

You will see the MDM profiles in System Preferences... > Profiles. These profiles are installed to allow remote software installation, account configuration, remote control, security for the Mac if lost/stolen, protection for network resource access, etc.

An Admin and Admin, Managed, Mobile have the same abilities.

Basically:
Admin: Allows access to change system-wide settings (like those in System Preferences with a lock), install software, and manage other user accounts
Standard: A basic user that can change some preferences that are user-based, cannot install software, and cannot manage other accounts
Managed: A Standard user that can have parental controls applied.
Mobile: An account created on a Mac that is bound to Active Directory or Open Directory on a network. Can be setup to allow use of a network account remotely, and store parts of the user home folder on a server.

The MDM profiles just allow the Mac to be configured and secured remotely by the company.

C
 
Joined
Sep 25, 2015
Messages
396
Reaction score
10
Whoa. So "Admin, Managed, Mobile" doesn't mean MDM? Whew. But thank you for explaining all of those.

And yes, System Preferences-> Profiles only appears if someone HAS installed a profile, and on this machine they did, with Bomgar Security, and a whole bunch of restrictions, including MDM. So the rule is, if you suspect MDM, go look for a Profile. I have to assume that you can't delete this profile except with some special password known only to the people who installed it.
 

Cory Cooper

Moderator
Joined
May 19, 2004
Messages
11,102
Reaction score
492
Admin, Mobile, Managed are just types of user accounts with different abilities/restrictions. Her user account is a "network" mobile account, which are mostly all managed, and has been elevated to an admin account.

MDM is indeed represented by the MDM profiles installed.

Correct - almost always, the MDM profiles are not removable by the end-user. The can only be removed by the IT department that installed them with their MDM system. Even if you erase the Mac, when it goes through setup, it checks with Apple's Device Enrollment Program (DEP) server to see if it is a consumer-owned device, or owned by a business/educational organization. If the Mac's serial number in DEP is registered to a company/educational institution, it is "pointed" to their MDM server, which remotely configures the Mac with their assigned setup configuration, including management admin accounts, profiles, default software, etc. If it is lost/stolen, it can be remotely locked/wiped to protect data. Also, if the user leaves the organization and leaves their Apple ID signed in, or somehow they activated a firmware password, they can be deactivated/removed without needing the user's Apple ID password. MDM is also used to deploy other Apple devices, like iPhones/iPads/etc., and can hide or prevent access to iOS apps, make the device operate in kiosk-mode, in which you cannot get to anything but a single app, etc.

It's a pretty amazing system, and ensures that company-owned devices are of no use to thieves, and they cannot be wiped and resold without the institutional owner removing their MDM profiles and the device's serial number from their DEP account with Apple. Google also has the Google Enterprise Admin system, which has similar control over Google devices such as Chromebooks and Android tablets/phones. You can even limit account logins on Chromebooks to accounts from a single email domain to prevent tampering and theft.

And, I won't even get into CIPA-compliant DNS/Internet filtering, GPS location tracking, user/application and network/Internet activity logging, network VLAN restriction, etc.

These days, it's best to do work stuff on work devices, and personal stuff on personal devices.

Hope I didn't scare you too much!

;)

C
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top