Hi all,
i have a question about locked user accounts. Is it possible to deny complete access to a MacBook after the user has been locked in Microsoft Azure? We recently had a case where a user was locked out but still had access to his MacBook through his "local account".
Is this possible or do we always have to click on Lock Computer in Jamf?
If the mac has a local account, by definition it isn't using your domain services, so unfortunately yes you would need to lock the machine or use code: "pwpolicy -u $username disableuser"
the mac is in our remote management so there should be no local account. Is there another solution then?
the mac is in our remote management so there should be no local account. Is there another solution then?
In more detail;
If the Mac is still checking in with jamf then you can create a policy to run the command I mentioned above, you can even force a logout.
Create a new policy - give it a name like lock login session, set trigger to Recurring Check-in, Frequency Once per computer
Files and Processes
Execute Command - "pwpolicy -u $username disableuser; killall loginwindow" where $username is the login of the user you want to disable.
Scope this policy to the Mac
Or more simply lock the Mac with the MDM command...
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.