Case Study: Converting from Administrators to Standard Users
Case Study: Converting from Administrators to Standard Users
Executive Summary
A geographically dispersed accounting firm with approximately 60 macOS users needed to meet updated cybersecurity insurance requirements mandating that end users operate as Standard users rather than local administrators. The firm had historically allowed administrator access for all users, creating both technical risk and a cultural expectation of unrestricted device control.
Second Son Consulting planned and executed a staged transition that reduced security risk while preserving end-user productivity and trust. The rollout completed over eight weeks, resulted in 100% of end users running as Standard, and did not cause a measurable increase in helpdesk volume. The change was implemented through reporting, automation, and controlled pilot groups, with logging and validation at every stage.
All the Details
Challenge
The client’s cybersecurity insurance policy required that all end users run as Standard users. At the start of the engagement, every macOS device was configured with the end user as a local administrator.
This presented two challenges. First, administrator access introduced material security and stability risk. Local admins could disable management and security tooling or install unapproved software, reducing visibility and control. Second, the change required a cultural shift. Users were accustomed to full control over their devices, and leadership was concerned about workflow disruption, user frustration, and unforeseen dependencies on administrative access.
Approach
We began by aligning with decision makers on the known unknowns: what could break, which workflows might require elevated privileges, and how to surface issues without disrupting daily work.
We ran reports across the environment to identify risk areas, including outdated applications, shadow IT, and personal software outside the firm’s acceptable use policy. This surfaced several workflows and applications that leadership had not previously been aware of.
Because the client had been managed under an inherited MDM configuration for approximately two years, we performed a technical review to identify historical inconsistencies. We found devices with missing or inconsistent local admin accounts, multiple user accounts on a single device, and differences in enrollment methods. These issues were corrected before any user demotions began.
Options Considered
We presented multiple paths, including the use of Admin on Demand and user training to distinguish between standard macOS password prompts and true administrative elevation.
The client chose a pure demotion model, with the option to introduce Admin on Demand later for specific, validated use cases. To preserve user agency, we paired this approach with Self Service workflows and expanded patch management so that common software updates no longer required administrative access.
Solution Details
We developed an automated workflow to report on account status and perform user demotions. The tooling reported in advance which accounts would be demoted, validated the presence of required management accounts, and logged the success or failure of every action.
We worked with the client to identify a voluntary pilot group. These users received targeted training on what feedback was useful, particularly when password prompts appeared and what task triggered them. We deployed the demotion workflow to this group, reviewed feedback and logs, made adjustments, and expanded the pilot until it included the entire organization.
The demotion process ran silently with no user interruption. Logging allowed administrators to identify and resolve edge cases before they became user-facing issues.
Results
The primary challenge was organizational rather than technical. Users were often unaware of when or why administrative privileges were being used, which made advance discovery and testing essential.
After rollout, 100% of end users were operating as Standard users. A small number of helpdesk tickets were submitted, primarily related to updating previously unmanaged applications. These were resolved by adding software to the patching catalog or identifying supported alternatives. There was no sustained increase in helpdesk volume.
The project reduced security risk, met insurance requirements, and established a repeatable, auditable process for account management. Most importantly, the change was completed without end-user disruption and without eroding trust between leadership, IT, and staff.
