Event banner
Event details
Joe_Lurie
Microsoft
MicrosoftHi ToddMasegian thanks for the message. We don't recommend users ever having full admin rights on a desktop. Our solution for this is two-fold:
- Use Autopilot when you send the user the laptop. In the Autopilot configure the user as a standard user.
- Use Endpoint Privilege Management. EPM is part of the Microsoft Intune Suite, and instead of giving the user full-on admin rights, it gives them admin rights to a specific process.
As a sidenote, we also have a Cloud LAPS solution that allows you to rotate the local admin password, as well as additional policies.
Re: using JAMF for your macOS devices, Intune has come a very long way in managing macOS - it may be worth checking out again. Or at the very least joining our aka.ms/MacAdmins community. Our Cloud LAPS solution and EPM are Windows only today, but we are working with our mac team to get them integrated on macOS.
Keep an eye on aka.ms/M365Roadmap and aka.ms/IntuneInDev for more information on when these might be available in the future.
--Joe.
Hi @joelurie thank you for the response. I had heard about EPM before but at the time I was advised that it was limited to only certain operations such as software installs and the other tasks such as modifying an Ethernet adapter properties weren't supported. I will have to take a deeper look at whether that is actually true or if EPM would actually cover my needs. On the LAPS front, I have been using LAPS on my on-prem AD for several years, I didn't realize there was a cloud version as well.