Skip to main content
University of Florida

Definition of UF Role Access

JAMF Administrative Roles

There are five admin roles in UF's JAMF implementation (NOTE – Except for LGA, all roles use your Gatorlink account username):

  • FGA: Full Global Admin – AD group maintained by UFIT. Provides complete control. Limited to UFEM team members.
  • LGA: Limited Global Admin – AD group maintained by UFIT. Role is limited to 2 or 3 admins in each department. Cannot create or deploy policies. Can create, add, and modify global settings. Must follow naming convention rules. This has global access to everyone’s global settings. No ability to delete. ADM service accounts are used for LGA's (e.g. ufit-adm-albertg)
  • FSA: Full Site Admin – AD group maintained by departments. Can create, select and apply policies, packages, etc. Site Admins do not have access to full JSS.
  • BSA: Basic Site Admin – AD group maintained by departments; same as the Site Admin (Full) role except they cannot create or modify policies. They can remotely lock but NOT wipe computers.
  • Enroll – AD group maintained by departments; can only enroll devices into the Jamf service.

Most Tier 2 admins will only use the LGA and FSA roles for day-to-day work.

Limited Global Admin (LGA) Tasks

There are eight tasks that require use of the LGA. They can all be found in the Settings section of the JSS console (when logged in as an LGA):

Please note that you need to be in the 'Full Jamf Pro' site to see these settings:

Click on the “Settings” and that will give you all the access that a LGA role will have inside of Jamf.

*Note: When using your LGA, make sure that you are the "Full Jamf Pro" section and not one of the other department sites listed below that. If you are at site and log out or close the page. You could break your access to the console the next time you try to login. This is a bug with JAMF.

As the name suggests, LGA tasks are global. They can affect all sites, including sites belonging to other units. Due to the power of the LGA role, we ask that units request no more than 3 admins be given this role.

The following items have read, create and update in eval and production

  • Global
    • Categories
  • Computer Management
    • Packages
    • Scripts
    • Printers
    • Directory Bindings - The following has only read access in production. In eval it is read, create and update (to be deprecated)
    • Disk Encryption Configurations
    • Dock Items
  • Device Management
    • Apple Configurator Enrollment

Please review the naming convention rules document

Full Site Admin (FSA) Tasks

FSA tasks are restricted to your unit's site, and include:

  • Policy Management
  • Config Profile Management
  • Patch Management
  • Endpoint Reporting