We are currently using local accounts on our Mac machines and enforcing a password policy via config profiles.
We have a problem as we also have a local admin user account on the machines and they are subject to the password policy too.
Is there anyway to exclude the local admin account from the policy?
We've running into a similar issue both with our localadmin account trying to run it and if the computer sits idle at the login screen through the root account. We only want it to run for a user account and not for any others. When I exclude it the policy won't run because it's been told to not run on any computers with "root" or "localadmin"
I looked into this a few years ago and was told that the only local user that you could scope "user level" configuration profiles to was the MDM capable user. My understanding at the time was that you could scope a profile to that user, but you couldn't use it as an exception (because this would be like scoping it to multiple users).
Like I said, this was a few years ago, I don't know if things have changed since then or not.
Any solution to use a Computer Level config profile and exclude some local users from this CP?
I've tested with User Level and it worked but some machines have 2 or more local users (shared computer), so only 1 user per time can be MDM Capable and consequently will receive the profile. When first user logoff, for example, the second user can login and need to become MDM capable (using -userLevelMdm or enroll again) to receive the config profile for Passcode. Is there anyway to force 2 or more local users are listed on MDM Capable Users? I think using User Lever in this scenario it's not the best approach.