Deny Local User Account Ability to Login?

New Contributor III

We have an admin account we give out to users that unfortunately has the same password for all users. We want to ensure that they cannot just Option + Enter (what is this feature called?) at the login screen to log into the current account, if that makes sense.

I saw in our Config Profile, there is an ability to deny LDAP accounts from logging in... but there is none for a local account.

So my question is, how do I stop users from being able to use Option Enter to bring up the input fields on our FV2 Macs? Why do some computers allow Option Enter and others it does not? And is there a way to deny a local account to be able to login at all and only provide authentication?


Contributor III

Have you tried disabling the 'Local-only users may log in' checkbox in the Access tab of the Loginwindow payload?

I usually keep it on (enabled), but it should be simple enough to toggle and test.

New Contributor II

I can't block all local logins, since we (the techs) have a local admin account for our use.


You could change the login shell to /usr/bin/false which should still allow authentication but not login.

New Contributor II

Unfortunately, it blocks login, but also can't be used for auth.

I used to do it this way back in 10.6 days, but 10.7+ changed something so it won't allow authentication.