+3Hi,
I have set the Configuration Profile up correctly, it works fine, but I would like the Admin to be excluded.
I tried the Exclusions section, and added the Type as 'Directory Service/Local User' and the name 'Admin' but this does not work.
Any other suggestions please?
Thanks, Will
+7Hi,
You could try to deploy the configuration profile as "User-Level" Config Profile, instead of "Computer Level", which will only target a specific user. Please be aware, that the user account has to be MDM-enabled to make "User-Level" Config Profiles work.
+26You can't.
From Apples perspective MDM (Mobile Device Management) is Device management, not User management. If you want to ensure people are changing their passwords, you should be using something like Apples Kerberos SSO or PSSO extensions and sync the device password to your IDP. You can also pay for something like Jamf Connect which serves the same purpose.
Kerberos_Single_Sign_on_Extension_User_Guide_en-GB (apple.com)
Platform Single Sign-on for macOS - Apple Support
However, you absolutely should be rotating out your local admin account password. That admin account is a single point of failure, and its password should not be static and should be changed frequently with LAPS or some other tool ensuring password rotation, which would make your situation a non-issue.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.