Jamf Nation Community

willjamf · a week ago

Hi,

I have set the Configuration Profile up correctly, it works fine, but I would like the Admin to be excluded.

I tried the Exclusions section, and added the Type as 'Directory Service/Local User' and the name 'Admin' but this does not work.

Any other suggestions please?

Thanks, Will

RaGL · a week ago

Hi,

You could try to deploy the configuration profile as "User-Level" Config Profile, instead of "Computer Level", which will only target a specific user. Please be aware, that the user account has to be MDM-enabled to make "User-Level" Config Profiles work.

willjamf · a week ago

Super, thanks, I'll try that and let you know.

Will

AJPinto · a week ago

You can't.

If you target the Computer Level, it will affect all users on the device.
If you target the User Level, the user must be MDM enabled for it to work which is a lot easier said than done.
- MDM-Enabled Local User Accounts - Jamf Pro Documentation 11.6.0 | Jamf

From Apples perspective MDM (Mobile Device Management) is Device management, not User management. If you want to ensure people are changing their passwords, you should be using something like Apples Kerberos SSO or PSSO extensions and sync the device password to your IDP. You can also pay for something like Jamf Connect which serves the same purpose.

Kerberos_Single_Sign_on_Extension_User_Guide_en-GB (apple.com)

Platform Single Sign-on for macOS - Apple Support

However, you absolutely should be rotating out your local admin account password. That admin account is a single point of failure, and its password should not be static and should be changed frequently with LAPS or some other tool ensuring password rotation, which would make your situation a non-issue.

willjamf · a week ago

Ah, OK, thanks.
I'll look into it all.

Jamf Nation Community

How do I exclude Local Admin accounts from a 90 day password reset?