2 weeks ago
Hi,
I have set the Configuration Profile up correctly, it works fine, but I would like the Admin to be excluded.
I tried the Exclusions section, and added the Type as 'Directory Service/Local User' and the name 'Admin' but this does not work.
Any other suggestions please?
Thanks, Will
2 weeks ago
Hi,
You could try to deploy the configuration profile as "User-Level" Config Profile, instead of "Computer Level", which will only target a specific user. Please be aware, that the user account has to be MDM-enabled to make "User-Level" Config Profiles work.
2 weeks ago
Super, thanks, I'll try that and let you know.
Will
2 weeks ago
You can't.
From Apples perspective MDM (Mobile Device Management) is Device management, not User management. If you want to ensure people are changing their passwords, you should be using something like Apples Kerberos SSO or PSSO extensions and sync the device password to your IDP. You can also pay for something like Jamf Connect which serves the same purpose.
Kerberos_Single_Sign_on_Extension_User_Guide_en-GB (apple.com)
Platform Single Sign-on for macOS - Apple Support
However, you absolutely should be rotating out your local admin account password. That admin account is a single point of failure, and its password should not be static and should be changed frequently with LAPS or some other tool ensuring password rotation, which would make your situation a non-issue.
2 weeks ago
Ah, OK, thanks.
I'll look into it all.