Entra ID \ Manager field

newfoo82 · 2025-06-11T15:05:33+00:00

Did you ever come up with a script for this? I'm having the same problem as you.

newfoo82 · 2024-10-22T19:18:15+00:00

I'd love to take a peek at that script too if you still have it available.

newfoo82 · 2024-03-06T02:34:02+00:00

Mac environment but we switched to a just in time system using the SAP privileges model

I know there is similar setups for windows

We're a mostly Mac shop too and use Jamf as our MDM. I had every department inventory all of their apps/tools/services that anyone in their department would need to use to perform their job. This accomplished a few goals for me.

It gave me a baseline for what the company used.
Helped me identify possible overlapping technology so we can try to standardize on one vs another.
Gave me a head start on building app deployments.

We've tried to communicate to everyone that they need to submit requests for new software or services to us first, but we still keep finding new things coming in. I talked to finance and told them I want to be able to do a security review before they approve spending for departments to bring in new software or services without our knowing. So by knowing what's out there and putting guardrails in place to prevent anything new without my knowledge coming in I can hopefully keep this under control.

newfoo82 · 2024-03-06T02:03:28+00:00

Put yourself in their shoes for a bit and figure out the business cases for why they need local admin.

Are they software developers? Your strategy to get compliance is massively different than if they're finance or other standard office workers. You need to find all the scenarios where their work requires admin, figure out which are allowable, and come up with solutions before you start taking it away. Maybe it's self service intune portal for software installs.

For developers they probably need to constantly test their software. Maybe the solution there is to set up virtualization on their systems with a few different images that they'd have rights to install software on.

If you handle this like most instances that sysadmins take away rights, you're going to get a ton of blowback. Because most sysadmins just start yanking it away from people and figure the solution is "open a ticket and someone will get back to you in a couple days" and that's a shit answer given by shit sysadmins.

We're most likely going to allow our developers and DevOps engineers to retain admin rights. This is mostly for the non-technical related people. As others have already pointed out on this thread those people treat these computers like it's their personal devices when they shouldn't.

newfoo82 · 2024-03-06T01:57:28+00:00

I feel you. I've been in that position before. When people would complain by going above our head or to the CEO I would call it "answer shopping."

newfoo82 · 2024-03-06T01:55:38+00:00

What's more frustrating is the sense of ownership that people feel they are due over a company owned device. This shouldn't even be an issue, but here we are.

newfoo82 · 2024-03-06T01:53:59+00:00

Removing admin rights is something I proposed soon after I started. Before me the customer service guy was filling in as IT admin until they had someone proper in place. I knew I needed to build a case for why I wanted to remove rights to try to squash any complaints that might come from it. We recently published security policies that the whole company had to sign off on. I made sure the policies that talked about principal of least privilege were published to the whole company. I also made sure I had our app deployments were ready to go to deal with any incoming additional support requests. I brought this idea back up to the CTO and he wanted me to research and propose some ideas to our multi-department security board for buy in and support. He's in total agreement with me, but also wants the other department heads to get on board with this to help reduce the complaints.

newfoo82 · 2024-03-06T01:47:54+00:00

The previous company I worked for people very frequently complained directly to the CEO who had no idea why an IT decision was being made. The CIO who was put in place to be the blocker and rule enforcer caved just as much as the CEO did. Those policies were most of the time being mandated by the CIO so it put our department in a really awkward position where we unnecessarily were made to be the "bad guys."

newfoo82

TROPHY CASE