Definition of UF Role Access


JAMF Administrative Roles

There are five admin roles in UF's JAMF implementation (NOTE – Except for LGA, all roles use your Gatorlink account username):

  • FGA: Full Global Admin – AD group maintained by UFIT. Provides complete control. Limited to UFEM team members.
  • LGA: Limited Global Admin – AD group maintained by UFIT. Role is limited to 2 or 3 admins in each department. Cannot create or deploy policies. Can create, add, and modify global settings. Must follow naming convention rules. This has global access to everyone’s global settings. No ability to delete. ADM service accounts are used for LGA's (e.g. ufit-adm-albertg)
  • FSA: Full Site Admin – AD group maintained by departments. Can create, select and apply policies, packages, etc. Site Admins do not have access to full JSS.
  • BSA: Basic Site Admin – AD group maintained by departments; same as the Site Admin (Full) role except they cannot create or modify policies. They can remotely lock but NOT wipe computers.
  • Enroll – AD group maintained by departments; can only enroll devices into the Jamf service.

Most Tier 2 admins will only use the LGA and FSA roles for day to day work.

Limited Global Admin (LGA) Tasks

There are five tasks that require use of the LGA. They can all be found in the Settings section of the JSS console (when logged in as an LGA):

The following items have read, create and update in eval and production

  • Packages
  • Scripts
  • Configurations
  • Printers
  • Disk Encryption Configurations
  • Dock Items

The following has only read access in production. In eval it is read, create and update.

  • Directory Bindings

Please note that you need to be in the 'Full Jamf Pro' site to see these settings:

As the name suggests, LGA tasks are global. They can affect all sites, including sites belonging to other units. Due to the power of the LGA role, we ask that units request no more than 3 admins be given this role.

*Note: When using your LGA, make sure that you are the "Full Jamf Pro" section and not one of the other department sites listed below that. If you are at site and log out or close the page. You could break your access to the console the next tima you try to login. This is a bug with JAMF.

Full Site Admin (FSA) Tasks

FSA tasks are restricted to your unit's site, and include:

  • Policy Management
  • Config Profile Management
  • Patch Management
  • Endpoint Reporting