How do I exclude Local Admin accounts from a 90 day password reset?

willjamf
New Contributor II

Hi,

I have set the Configuration Profile up correctly, it works fine, but I would like the Admin to be excluded.

I tried the Exclusions section, and added the Type as 'Directory Service/Local User' and the name 'Admin' but this does not work.

Any other suggestions please?

Thanks, Will

4 REPLIES 4

RaGL
New Contributor III

Hi,

You could try to deploy the configuration profile as "User-Level" Config Profile, instead of "Computer Level", which will only target a specific user. Please be aware, that the user account has to be MDM-enabled to make "User-Level" Config Profiles work.

willjamf
New Contributor II

Super, thanks, I'll try that and let you know.

Will

AJPinto
Honored Contributor III

You can't.

 

From Apples perspective MDM (Mobile Device Management) is Device management, not User management. If you want to ensure people are changing their passwords, you should be using something like Apples Kerberos SSO or PSSO extensions and sync the device password to your IDP. You can also pay for something like Jamf Connect which serves the same purpose. 

Kerberos_Single_Sign_on_Extension_User_Guide_en-GB (apple.com)

Platform Single Sign-on for macOS - Apple Support

 

However, you absolutely should be rotating out your local admin account password. That admin account is a single point of failure, and its password should not be static and should be changed frequently with LAPS or some other tool ensuring password rotation, which would make your situation a non-issue.

willjamf
New Contributor II

Ah, OK, thanks.
I'll look into it all.