


In this case, we are looking at the value of root’s AuthenticationAuthority using the Directory Service command line utility. See the following documentation for more information. Note: Intune’s API may be leveraged to create groups either by script or PowerAutomate, but this particular API call is still in beta. For reporting, we can create a script and Intune will take the echoed output as the final result under the individual Custom Attribute. The premise, however similar, does not yet allow us to populate dynamic groups based on the result, but we’ll work around that limitation by deploying it in two different ways. Results of a simple script which echos the output of whoami command run by the Intune Management ExtensionĬustom Attributes in Intune are relatively new for Microsoft and likewise have a long way to go before it truly offers feature parity to Jamf. Root must still function, but not be accessible without an administrator actively enabling it and setting a password. It’s worth noting that as I discussed in a previous post ( Intune for MacOS and how it’s different.) Intune leverages the Root account to execute commands via the Intune Management Extension and thus it is important to distinquish between disabling root login and disabling root completely.
#Jamf scripts pro
In this post we’ll cover using Extension Attributes in Jamf Pro and Custom Attributes in Intune, creating Smart Groups based on it, and deploying a remediation script to knock root back to its disabled state. Whether they enabled root and left it that way out of ignorance or forgetfulness, the solution is the same: Report on devices where root is enabled and automatically remediate.

There are many legitimate reasons why you would want to do this temporarily, but root should never be enabled long term. Root login is disabled by default on MacOS for obvious reasons, but users with local administrator permissions can enable root on demand. If you’re unaware, root is the System Administrator on most unix based systems and has the highest permissions on the system (See Demystifying `root` on macOS, Part 1 – Scripting OS X over at for a great overview). One of the first things I look for when performing a Health Check for organizations running Intune (if they have Macs) and Jamf Pro/Protect is whether they have systems enrolled with the root user enabled. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production. As the name suggests, these accounts are based on experiences I’ve had in my own lab.
#Jamf scripts how to
Disclaimer: This blog is not intended to be advice on how to manage your environment.
