What is required to obtain administrative access for Endpoint Management (Intune/Jamf)?

Overview

As part of our ongoing efforts to strengthen our organization's security posture and align with vendor best practices, we require a specific role and account structure for administrative access within Microsoft Intune and Jamf.

To improve auditing, enforce the separation of duties, and limit the exposure of compromised credentials, we have implemented a custom administrative role that restricts global directory-level permissions while still supporting your core device management tasks. This updated role also expands the ability for users to delete devices they manage in Entra ID that use the specific naming prefixes designated for their units.

This role is required to be assigned to designated Super User (su-) accounts rather than personal NetID accounts.

Why This Matters (Security Benefits)

Enforcing this model aligns our mobile device management (MDM) infrastructure with Zero Trust principles and offers several key benefits:

• Reduced Risk: Limits security exposure if personal NetID credentials are ever compromised.
• Separation of Duties: Ensures accountability and strict control over privileged endpoint management tasks across both Windows and Apple ecosystems.
• Improved Compliance: Enhances our monitoring and compliance auditing capabilities for both Intune and Jamf environments.

Required Action: Request a Super User Account

To maintain your administrative functions in Intune and/or Jamf, you are required to transition to an authorized administrator account.

1. Navigate to the Account Management portal.
2. Using the linked form, submit a request to the Accounts Team to have a Super User account created.
3. Naming Convention and Ownership: The requested username must follow the strict su-netid format (e.g., su-jdoe). This ensures that each su- account is explicitly identified as being owned and operated by the specific requesting user.

All current and new users requiring addition to existing Intune or Jamf administrative groups are required to use an su- account. Standard personal NetID assignments will no longer be approved or maintained for endpoint administration.

Testing and Offboarding Timeline

1. Account & MFA Configuration: Once your new su-netid account is established, you must first configure your multi-factor authentication (MFA). You are required to set up MFA with both Duo and Microsoft Authenticator. These authentication methods are managed outside of the Endpoint management service. For setup instructions, please confer the following documentation: Multi-Factor Authentication.
2. Access Request & Provisioning: After you have successfully configured your MFA, notify the deployment team to confirm your account is ready. Administrative access to Entra ID, Intune, and Jamf must be formally provisioned by the Endpoint Management team before you attempt your first login.
3. Testing Phase: Once you receive confirmation that your access has been granted, log in to verify and test your administrative functionality in Entra 
4. Deprecation of Legacy Access: After onboarding is complete and your su- access is verified to be working, all legacy administrative permissions will be permanently removed from your personal NetID account.