Skip to main content
Question

Disable login for secondary Admin account

  • March 9, 2023
  • 3 replies
  • 4 views
C
Forum|alt.badge.img+1

We are moving to make our end users be required to be standard accounts and remove thier admin rights, but we need to have a secondary local admin account on the machine to authenticate admin privs when needed, but our IT Security is requiring it to be for authentication only and not able to log in as a user. So far, I can't seem to find a way to make this possible to block the accounts ability to login while still allowing the account to auth when needed.

Anyone have any suggestions or run into similar needs?

    3 replies

    B
    Forum|alt.badge.img+8
    • bcrockett
    • Contributor
    • March 9, 2023

    I do not think that is how macOS works. 

    An admin user account can log in and authenticate. Those two things can not be separated. 

    Ask IT security how they configure this on macOS specifically. 

     

     

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • March 10, 2023

    I have a question about this.

    Who is the intended audience for this secondary admin user? The end users who are being demoted to standard accounts, or for IT only?

    If the concern is that end users would use this account to log into, you might want to instead look into something like a temp admin policy, a la MakeMeAdmin, or using a program like SAP Privileges.

    If IT Security's goal is to lock out other IT people from logging into this account, then this is a false sense of security. Once you know the creds for a local admin account, being able to log into the account or not is inconsequential. I can do basically almost anything admin related with just the credentials and the Terminal application that I can do if actually logged into the account. So I'm not sure what they would be thinking they're preventing if this is the case. This is true of course if the account was intended for the end users of the devices. Logging into it is the least of the concerns once you know the username and password.

    Either way, if they really need this, you can try changing the home directory path for the account from /Users/username to /usr/bin/false. From what I can see, this allows the account to be used in dialogs that require authentication, and can be logged into in Terminal, but when you try logging into the account at the macOS login screen, it hangs and never completes login. That's not ideal of course, so I'm not sure if causing the system to hang would be acceptable, but it does prevent logging into the account at the GUI from what I can see.

    B
    Forum|alt.badge.img+8
    • bcrockett
    • Contributor
    • March 10, 2023

    @clementsn 

    You could also look at using Jamf API credentials.

    The Super software linked below does this for updating macOS 

    https://github.com/Macjutsu/super/wiki/Jamf-Pro-API-Credentials

     

    Also, my original reply may have been incorrect depending on the context of the application and configuration. My apologies if that lead you astray.   ~B

     

    Terms & ConditionsCookie settingsAccessibility statement