Popular topics: How to contact Customer Support? How to manage legal entities using Factorial

Support Home / IT Management / Factorial IT / Mobile Device Management (MDM) / Get started with MDM / Set up your policies
Back

Manage administrator accounts

Learn how to efficiently control and oversee administrator accounts to enhance security and organization within your business or system.

Table of Contents

Deploy administrator accounts through MDM Controls Configure the policy Password storage locations Manage accounts at the device level Modify or disable the policy Special Cases Removing administrator access on a device with an active secure token Cases of devices targeted by multiple administrator account management policies Best practices

Use the policy Admin user management to deploy administrator sessions on your devices. This feature can be applied globally or to specific groups using Device Groups.

It allows you to create administrator sessions, store their passwords in Factorial IT, and optionally reduce the privileges of other existing sessions.

Coming soon: the ability to facilitate privilege escalation (giving temporary administrator access). In the meantime, you can use tools like Privileges and MakemeAdmin for these actions.

 

 

Deploy administrator accounts through MDM Controls

Configure the policy

  1. Enable the feature.
  2. Define the username of the administrator session to create.
  3. Set the account password:
    1. Random password: generated per device
    2. Fixed password: identical across all targeted devices
  4. Choose whether to adjust existing users’ rights:
    1. Default: no change
    2. Optional: reduce privileges for other sessions

Password storage locations

  • Random password: stored in each device’s panel
    • Equipment > Devices > Device panel
  • Fixed password: stored in the feature settings
    • Profiles > Relevant profile > Administrator account management

 

Manage accounts at the device level

From a device’s Users tab, you can:

  • Grant administrator rights
  • Remove administrator rights
  • Create a local session
  • Rotate the password of an existing session

These actions allow fine-grained management in addition to the global profile-based policy.

 

 

Modify or disable the policy

After activation on a profile, the policy cannot be edited directly.

 
  • To update it, disable the policy and then re-enable it with new settings.
  • Disabling the policy stops its enforcement but does not delete the Factorial IT administrator account or its password, which remain available in Factorial IT.

 

Special Cases

Removing administrator access on a device with an active secure token

SecureToken is a macOS-specific feature that acts as an access key. It allows a user account to activate and manage critical security functions, such as FileVault encryption.Currently, it is not possible to remove administrator rights from an account if it is the only one with a SecureToken on the device. We are working to improve this management to allow the transfer of the SecureToken to another account, particularly the one administered via Factorial IT.

Cases of devices targeted by multiple administrator account management policies

Policy duplications may occur if you activate the policy on a global profile and on a "specific" profile. In this case, Factorial IT does not manage the conflict: the MDM attempts to create the requested user by only checking that the account name is not identical.

 

Best practices

  • Prefer random passwords to enhance security at scale.
  • Document macOS SecureToken exceptions in internal IT procedures : SecureToken rules.
  • Avoid activating duplicate policies on overlapping profiles to prevent conflicts.

Was this article helpful?

Give feedback about this article

Related articles

Can’t find what you’re looking for?

Our customer care team is here for you.

Contact us

Knowledge Base Software powered by Helpjuice