| macOS | Windows | Linux | iOS / iPadOS | Android |
|---|
| ✅ | ✅ | | | |
How to set it up
Coming soon: the ability to facilitate privilege escalation (giving temporary administrator access). In the meantime, you can use tools like Privileges and MakeMeAdmin for these actions.
Define the admin username
Enter the username of the administrator account to create.
Set the account password
- Random password — generated per device (recommended)
- Fixed password — identical across all targeted devices
Optionally demote non-matching accounts
Enable Demote non-matching accounts to automatically reduce other users to standard access.
Save and apply
Save and apply to the relevant device group.
Modifying or removing the control
After activation, the username of the admin account to be created cannot be edited.
How it works
macOS
The control creates a local administrator account and stores the password in the Primo cockpit.
Removing administrator access — it is not currently possible to remove administrator rights from an account if it is the only one with a SecureToken on the device. SecureToken is a macOS-specific access key required to activate FileVault encryption. Primo is working to support SecureToken transfer to allow this.
Windows
The control creates a local administrator account and stores the password. Password options (random or fixed) and privilege reduction work the same as on macOS. 
