Exclude user from Config Profile Password Policy

New Contributor

Hi Everyone.

We are currently using local accounts on our Mac machines and enforcing a password policy via config profiles.

We have a problem as we also have a local admin user account on the machines and they are subject to the password policy too.

Is there anyway to exclude the local admin account from the policy?



New Contributor

Hi Liam,

I have just run into the same issue at our company, where we want/need to exclude an administrative account on the Mac from the password policy. Did you happen to find a solution for your problem?

Thank you in advance,

Contributor III

We've running into a similar issue both with our localadmin account trying to run it and if the computer sits idle at the login screen through the root account. We only want it to run for a user account and not for any others. When I exclude it the policy won't run because it's been told to not run on any computers with "root" or "localadmin"

New Contributor III

yes I would like to exclude a particular hidden admin account from our restriction configuration profile. Is it possible?

New Contributor III

I looked into this a few years ago and was told that the only local user that you could scope "user level" configuration profiles to was the MDM capable user. My understanding at the time was that you could scope a profile to that user, but you couldn't use it as an exception (because this would be like scoping it to multiple users).

Like I said, this was a few years ago, I don't know if things have changed since then or not.

New Contributor II

We have this same issue. Is there still no fix??

New Contributor

Same - any solution anyone is aware of?

New Contributor

Hi guys,
Any solution to use a Computer Level config profile and exclude some local users from this CP?

I've tested with User Level and it worked but some machines have 2 or more local users (shared computer), so only 1 user per time can be MDM Capable and consequently will receive the profile. When first user logoff, for example, the second user can login and need to become MDM capable (using -userLevelMdm or enroll again) to receive the config profile for Passcode. Is there anyway to force 2 or more local users are listed on MDM Capable Users? I think using User Lever in this scenario it's not the best approach.