I have come to a point I want to setup Agentless Posture on my ISE 3.0 deployment project. Based on the documentation, I have read following: "Client credentials for shell login must have local admin privileges". My client does not want to give local admin privilege's to end users domain accounts.
There is a proposal on the table as following: "To create a user account for all the branches/domain computers, this user account to have local admin privilege's, that will be able to open/run PowerShell as an Administrator". The user will be thrown to the endpoints via Microsoft GPO.
However, my questions are as following: Does ISE credentials need to have local admin privileges' to only run PowerShell as an administrator, or is there some other reason that these privileges needs to be allowed to all the Domain User Accounts?
If its only to open PowerShell as an administrator, then I believe we can do so with the noted option of creating a user account specifically for that task of "Run as Administrator" in PowerShell, and nothing else!. But giving domain users local admin privileges' sounds ambiguous and not accepted as a solution!?
So far in the Cisco ISE 3.0 documentation, I could only find information about this feature that this needs to be enabled, but not specific reasons of why and how the end to end flow/use case works. And/or any other workarounds.
Any suggestion or information would be highly appreciated.