Help

How do I exclude Local Admin accounts from a 90 day password reset?

willjamf
New Contributor II

Posted on ‎06-20-2024 01:47 AM

Hi,

I have set the Configuration Profile up correctly, it works fine, but I would like the Admin to be excluded.

I tried the Exclusions section, and added the Type as 'Directory Service/Local User' and the name 'Admin' but this does not work.

Any other suggestions please?

Thanks, Will

0 Kudos
Reply
4 REPLIES 4

RaGL
New Contributor III

Posted on ‎06-20-2024 02:43 AM

Hi,

You could try to deploy the configuration profile as "User-Level" Config Profile, instead of "Computer Level", which will only target a specific user. Please be aware, that the user account has to be MDM-enabled to make "User-Level" Config Profiles work.

Reply

willjamf
New Contributor II

Posted on ‎06-20-2024 02:45 AM

Super, thanks, I'll try that and let you know.

Will

0 Kudos
Reply

AJPinto
Honored Contributor III

Posted on ‎06-20-2024 05:10 AM

You can't.

 

From Apples perspective MDM (Mobile Device Management) is Device management, not User management. If you want to ensure people are changing their passwords, you should be using something like Apples Kerberos SSO or PSSO extensions and sync the device password to your IDP. You can also pay for something like Jamf Connect which serves the same purpose. 

Kerberos_Single_Sign_on_Extension_User_Guide_en-GB (apple.com)

Platform Single Sign-on for macOS - Apple Support

 

However, you absolutely should be rotating out your local admin account password. That admin account is a single point of failure, and its password should not be static and should be changed frequently with LAPS or some other tool ensuring password rotation, which would make your situation a non-issue.

Reply

willjamf
New Contributor II

Posted on ‎06-20-2024 05:39 AM

Ah, OK, thanks.
I'll look into it all.

0 Kudos
Reply