Skip to main content
Question

Manage the login possibility to MacOS

  • March 3, 2026
  • 4 replies
  • 91 views
K
Forum|alt.badge.img+1

Hello,

My organization has asked me to explore whether it’s possible to control macOS login behavior based on Active Directory group membership.

The goal is to automatically log out a user if they belong to a specific AD group. Additionally, as long as the user remains in that AD group, they should be prevented from logging in to macOS at all. We would also like to block all local unlock methods (password, Touch ID, etc.) while the user is in that AD group.

Is this type of workflow achievable? Does Jamf provide functionality that can enforce these restrictions?

4 replies

dan682lee
  • dan682lee
  • New Contributor
  • March 3, 2026

Hello!

Jamf alone doesn’t provide a built‑in way to block or auto‑logout macOS users based on AD group membership. To achieve this, you’d typically need Jamf Connect integrated with your identity provider (Azure AD/Okta), which can enforce login restrictions tied to directory groups. Policies can be scoped to AD groups, and custom scripts can check membership at login to trigger logout or block access, but local unlock methods (like Touch ID) can only be disabled globally, not conditionally per group. In short, the workflow is possible with Jamf Connect plus scripting, but not natively in Jamf Pro.

    mvu
    Forum|alt.badge.img+22
    • mvu
    • Jamf Heroes
    • March 3, 2026

    Is your organization using Device Compliance? Could block other access, depending on your criteria.

    Here is how we setup our Extenstion Attributes for iOS and macOS. From there, we great smart groups of the AD memberships and scope desired policies to them. Similar to what ​@dan682lee mentioned.

    You could do other functionality thingys, like change wallpaper, flip out the Dock, remove apps or access. Depending on how far you need to go ...
     

     

      N
      Forum|alt.badge.img+9
      • nelsoni
      • Contributor
      • March 4, 2026

      If the Mac remains on and connected to a network, you could look into simply disabling the account on the Mac. If you have a local admin account on the Mac you will still be able to log onto that account and using the suggested EA approach you can trigger the disablement and re-enablement of the account by using an SG to trigger the policy. This of course assumes the account is a local account and not a mobile account

      AJPinto
      Forum|alt.badge.img+26
      • AJPinto
      • Legendary Contributor
      • March 4, 2026

      You can bind Mac’s to AD, and enable mobile accounts which will allow your users to login with AD account credentials. However, be very aware that apple has moved away from this and has been advising for over a decade to stop AD binding. Things like Secure Tokens, and FileVault have a lot of complications with mobile accounts. 

       

      Apple has fully moved to modern authentication, should look in to Platform Single SignOn with Entra or Okta for the current Apple approach. There are also middle ground options like XCreds and Jamf Connect. All of these options would allow you to use AD Groups (synced to your IDP) to manage things like logging in, with PSSO allowing syncing IDP group to local Mac group for a fairly granular RBAC approach. 

       

      TL;DR: in the apple world, on prem identity with things like AD is dead. You will need to use Cloud identity solutions.

      Terms & ConditionsCookie settingsAccessibility statement