Local Administrator


(Mark Teslow) #1

We have a new musician on our team who would like complete access to his local machine to be able to install any and all programs that he feels are necessary for the creative process. While we don’t want to hinder his ability to do his job, we are concerned that giving back local Administrator access to the machine will open risks that we are hesitant to take. We manage all of our MAC’s using JSS - Casper and can easily add and remove programs that are needed, however as he notes, not always at the time that it is needed in the creative process (at home - after hours etc.). I guess my question is, how do you handle local administrator access and do you restrict it? Question 2, How would you suggest that we best serve this musician and or how do you handle musicians and users of this type?


(K Papalia) #2

I have one department head that demanded Admin access because she is on the road a lot and never wanted to be caught unable to do something important. I lost that fight but not completely.

As a compromise, I created a separate profile with the user ID “DPadmin” where “DP” were her initials. When she needs to install something, the pop-up asks for credentials and she keys User ID and Password for her “admin” alter ego.

That way she does all of her work as her “least user” self and only gets admin access when she deliberately invokes it. I suppose you could also have him log out and sign in with the admin creds but if you do that he will NEVER log in with his “least user” profile.


(Chris Green) #3

For me, the most important part of what you’ve said there is “install whatever programs he feels are necessary.” This is no longer a technical discussion but a business discussion. Any program that he installs on a church owned computer must be paid for by the church, or be completely free for commercial use. Your leadership needs to be involved and understand the risks involved if this person installs their personally owned software or utilizes “free” software that isn’t actually free.


(Chris Adams) #4

I’ve begun granting Mac users local admin to install things, but have been clear that Tech Ops (our IT department) needs to purchase and manage the licenses.

I’ve also begun working on managing Restricted Software and Apps so we can at least avoid tools we know we want to avoid.

I’ve found freedom and trust go a long way, but that when things are found that shouldn’t be there, we approach the person and let them know we need to remove that application and then we discuss what their need was and how we can fill that need and what they should do in the future.

There needs to be a balance of trust and consequences, but every time I’ve tried to replace that balance with IT Control it has backfired on me.

My biggest concern here would simply be the “new musician on our team”. New users rarely understand the dynamic of working for a church rather than making music for their own personal use. I also caution against ever believing that the “Creative Process” is an emotional and sporadic process. If you aren’t creative, you may have to wait for a random thought or inspiration or attempt to copy someone else’s creativity, but if you genuinely are called to be creative then you should learn how to be creative. Most successful creatives (i.e. bestselling authors, major musicians, etc) work at their creations, they don’t just play around and wait for inspiration to hit to dig in and install plugins.

I would almost say that for new people wanting to exercise admin access immediately would benefit from an enjoyable conversation with IT over coffee to learn about each other’s passion and calling into the ministry to lay the groundwork for a relationship of trust (caffeine seems to work with creatives and technical folk alike).

With all of that said, our mac users are mostly admins (if they aren’t they could just log in as root… am I right? :wink: ) and it has bitten us far fewer times than IT micromanaging them.


(Tim Cook) #5

…Honestly? At our church, everyone has local admin rights. We’ve literally not had more than maybe one small issue due to this in 5+ years. It’s way less of a headache for me than having to always help people make changes. For us, we decided we’d give everyone the freedom, and simply revoke if necessary. It has never gotten to that point, so for us, we’ll keep it this way. But that’s just us :o)


(Donald Flanagan) #6

There have been a lot of good answers here. For the technical side, I agree with a separate admin user account that they use to elevate when needed. For the accountability side, a friendly, helpful, customer service-oriented conversation about what is appropriate and inappropriate when it comes to licensing, EULAs, and using content/software that has not been properly purchased by the Church or the individual.

This is gold: “an enjoyable conversation with IT over coffee to learn about each other’s passion and calling into the ministry to lay the groundwork for a relationship of trust…”

If the conversation is done right, it’s not about telling them what they can and can’t do, it’s about giving them all the tools they need to do their work for the Lord while maintaining security, best practices, following the law, and honoring the Lord by doing what is right and keeping our word.

We in IT want to control things, and we need to learn to let go of that when appropriate. In the Mac world, it’s less dangerous to relinquish it, so until it gets out of hand, why not say “yes” whenever possible, and when a “no” is in order, work as hard as we can to turn it into a “yes” by being creative, or by agreeing on a safe alternative (such as a separate admin user account in this case)?

We are making all of our Mac users admins currently. But that is a policy I inherited from a previous manager, and I’m re-thinking due to this conversation. Least-privilege is a better practice, and one we will kick around in IT for possible implementation.


(Jason Powell) #7

All our users are local admin and have been since I made that decision in late 2007. I was told by other IT peers I was nuts for even thinking about doing so :-). I coached our staff that with great power comes great responsibility (ie. please don’t jack up your machine!). I wanted them to be productive and efficient and view IT as an enabler, not a hindrance. It worked. IT continues to have a great reputation with our staff as being “for them”.


(Nick B Nicholaou) #8

We endorse the local admin approach for all staff unless someone proves that it’s more than they can handle. I give a thorough treatment of the reasons, risks, and mitigation strategies in my book (see http://store.churchlawtodaystore.com/chitstandso.html).


(Mark Teslow) #9

My colleague I have appreciated your answers here. Many of you have advocated for giving Local Admin rights and you have us thinking about it. We have this posted online elsewhere and are receiving different answers from the “non ministry” world. Nick I will quote your answer since it was the most recent to my current posting, “We endorse the local admin approach for all staff unless someone proves that it’s more than they can handle.” What constitutes “more than they can handle” - or “don’t jack up your machine” as Jason said earlier. The user in question also asked us for his machine 2 weeks prior to his start date so he could download and install programs from his then current employer. We asked him what programs they were and offered to and did purchased them for him here so they were properly licensed. He has subsequently let us know that he wants the freedom to “jack up his machine” and in his words, “he has a Ferrari and we are only letting him go 65”. Our staff uses Office 365 and he also does not want to use that and wants to use whatever he is used to. While I want to be honoring to my new staff member, I also want you to understand the entire picture. His direct supervisor would like to know why we are not ready to hand him the keys to the Ferrari. Thank you all for your time.


(Donald Flanagan) #10

Well, to use his analogy, would you hand the keys to a Ferrari to someone who for all intents and purposes has stated that they are going to drive way over the speed limit? Speed limits are there for the safety of all. However, there are venues in which driving more than 65 is permissible: a racetrack, for example. Is he/she willing to obey the laws of the land, and abide by the user agreements/purchase requirements set in place by software companies? Or are they going to do whatever they feel like in order to “get the job done”?

Start dates are less important to me than whether or not they have completed the entire hiring process, including background checks. If they fail the background check and you have to say “hey, I’m sorry, we can’t hire you, and we need the computer back”, that just presents all sorts of awkward scenarios.

When it comes to “jacking things up”, think about installing malware, or other software that might compromise security. Or installing torrents or video capture software that could be used to download or capture copyrighted materials. Or circumventing your web filtering solution (if applicable). Or doing something that slams your network. The average user with local admin creds on our Macs rarely uses it. The kind of user you are describing has a high probability of being a problem child.

As for O365 vs. Apple’s suite of tools…wow, it’s amazing to me when people don’t want to use the best tool for the job, but that’s reality. Those who insist on doing so end up creating content that Windows users can’t open, and people receiving those files will call you and ask you to help them open those Pages documents in Word (and you’ll have to say “sorry, I can’t”). I would sit down with them and explain that they will have a much better experience with O365, but they are free to use what they want (as long as it’s legal).


(Ben Fifield) #11

Noting that you are using Jamf, another approach that I have heard of (and am considering) is using a Self Service policy called “Make Me an Admin”. This is a script written by Jamf Professional Services and published on their Github - https://github.com/jamfprofessionalservices/MakeMeAdminPy

The idea is that during typical usage, no one has admin rights. But if they come across something where they need admin rights, you can use this to temporarily make them an admin. The script has some built-in safety controls to make sure that they don’t create additional local admin accounts or change the password for an existing local admin account. If you don’t want them to use this all the time, you could set the execution frequency on the policy to Once every week (or day or month). Then, you can audit how often a person is requesting admin rights, and have a conversation with them if it gets excessive.

Regarding some of the other specific issues, it’s important to help people understand that part of being in the working world is working within the parameters of your organization. As an example, for some reason (or reasons), your organization made the decision to standardize on Office 365 for productivity and staff collaboration. Maybe not everyone sees that as the right decision, and there may be a point at which your organization decides to change that standard. But the fact is, your organization made that choice, and being a productive, useful member of your organization means you use Office 365. Welcome to being a responsible, functioning adult! Using a non-standard tool will likely make working with your colleagues more difficult, and in fact may make working together to accomplish the mission of your church considerably less effective. Yes, there is room for freedom and choice. But when it comes to the core tools of your ministry (email, productivity suite, church management system, etc.), there is no choice. That is a business decision that your church has made so that you can effectively work together as a staff to grow the Kindgom of God.

The Ferrari metaphor is actually excellent and useful. He is right, not allowing any sort of admin rights is like putting a 65 mph governor on the Ferrari. But there are very few opportunities where you can safely drive the car above 70-80 mph. That’s why there are speed limits, road lines, traffic signs and lights. If you think about it, the only truly safe place you can open up in a Ferrari is on the track. But a track doesn’t get you anywhere. All you are doing is driving in a fancy circle. It doesn’t get you any closer to a destination. Lawfully participating in normal highway traffic is like following the technology guidelines of your organization. A Ferrari of a computer can get you up to highway speeds and into the creative flow quickly. Or you could go over to the track and have a great time doing whatever you want, but the rest of us over here using the organization’s tools to travel towards our mission destination aren’t being helped by that.

Just my (longer than I thought it would be when I started) $0.02. I know the struggle that you are experiencing. We have had similar conversations. We always try our best to turn a “no” into a “yes,” but sometimes due to organizational (NOT IT/Tech department) choices, it has to stay “no.”


(Alex Conner) #12

It’s always a tough balancing act to provide users with enough access that they don’t feel restricted or constrained and to protect the interest of the organization (legal issues, malware, etc.)

I’m a big fan of getting leadership behind a program of encouraging staff to be responsible for their actions. If someone repeatedly is infecting their machine or installing illegal/non-compliant software it’s not a technology issue.


(K Papalia) #13

Never mind “repeatedly infecting their machine”, I wouldn’t want them infecting their device once. That’s why we went to least user. An infected device isn’t isolated once it’s on your network.

It’s an asset and it’s our job to make sure that asset is protected.

And, I’m all for having a good relationship with my users, and I do, but just like being a parent, sometimes you have to make tough decisions to keep everyone safe.

It doesn’t matter how trained they are, how aware they are, how “it’s never happened before” malicious people will always be a step ahead of your best-trained user.


(Kevin Hylton) #14

Wow! I just got a little bit dizzy reading all of the comments where people are just “Trusting” their users with administrative rights. Simply letting them do what ever they want on their machines in the name of simplicity and convenience is confusing to me. I have “Creative types” in my organization that have given me the same line of reasoning. Telling me, “I want it when I want it and you are not always available to put in a password at 11:00 at night.” or, “What if I need to install some software at a moment’s notice and it impacts our ability to put on a service?” My response to all of these statements is that they need to start planning better. Waiting until the last minute shows that they are not prepared to forecast their needs or do their job properly.

Here is my point of view on locking computers down. All it takes is one person to download the wrong software or click on the wrong email or open the wrong web site and their machine could become infected. It might be something stupid, some email harvesting app, or it might be a worm that will tunnel in to my file share and deploy ransomware. We have files with benevolence information in them. We have files with giving information in them. We have files with parishioner data in them. My point is that people have entrusted our church with their personal information and it is my responsibility as IT director to safeguard that information to the best of my ability. I would find it hard to look someone in the eyes and tell them that their data was allowed to get in the hands of the bad guys because I was trying to make life easier for someone who could not wait for a password.

Perhaps your organization is different from mine and perhaps you have nothing on your network that is of importance. Perhaps you have a backup of all of your machines and have a robust staff of volunteers that could help you restore everyone’s devices and backup files in the event of a ransomware event.

I don’t have any of those things. So I choose to lock down my deices to safeguard our data. Ephesians 6:7 says we are called to “Serve wholeheartedly, as if you were serving the Lord, not people”. I for one am not ready to fathom the idea of having to tell Jesus I took the easy way out and lost his data.

Just my thoughts on the matter.


(Brad Buscher) #15

We have two levels of “employees” volunteers and actual employees. We give employees local admin alter ego and volunteers do not get that. Also we have then sign an AUP yearly.


(Alex Conner) #16

Given how quickly I can package something up in SCCM and drop it in our own internal software store, the reasons for users to be local admins are dropping all the time. I generally hold a fairly liberal viewpoint on giving folks the tools they need when they ask for them (budget / legal approving) because typically if I’m impeding productivity that’s when Shadow IT happens and I think that’s a much larger risk.