Posted on 07-10-2017 02:01 AM
Gents,
We have the following situation in our macOS environment.
The user is using a macbook, on the macbook are the following accounts pre-defined
- local administrator account that is only available for IT Support staff.
- The user his personal account (Managed, Mobile)
The users have the possibility at this moment to create local accounts for family members or kids or even co-workers.
We really want to block that, but keep the admin user rights active for the user of the macbook.
Anyone knows how?
Many thanks!
Posted on 07-10-2017 05:02 AM
You could use configuration profile to disable the 'users & groups'.
Posted on 07-10-2017 11:44 PM
Hi,
Thanks for your answer, are they still able to change there password in this section?
Thanks.
Posted on 07-11-2017 04:54 AM
Once blocked, Users and Groups will be unaccessible.
Posted on 07-11-2017 06:33 AM
@txhaflaire you could have them change their password in System Preferences-> Security & Privacy
Posted on 07-12-2017 02:57 AM
@Johnny.Kim Thanks, we have deployed the mobileconfig but when using ADPASSMON and they use change password the still are able to come in the pane.
@osxadmin Thanks for your reply!
Posted on 07-12-2017 04:19 AM
There's a few other ways the users could create accounts if they really wanted to. sysadminctl
and dscl
could both do it from the terminal.
Not sure how technical the users are so this might not be an issue.
I would probably go with blocking the users and groups preference pane as a "deterrent" on the understanding that there are other ways they could get around it.
Any other solutions I can think of would be quite "hacky".
Posted on 07-26-2017 06:02 AM
@davidacland Thank you for your reply !
Posted on 07-26-2017 06:22 AM
Hi,
One way to monitor whether the user has made use of those commands might be to set up a extended attribute to count the number of local accounts, including invisible and service accounts, via a dscl call, and then subtract all known legitimate service accounts from that count.
Your remaining count should then be two - the local admin account and the legitimate user account. You could even take two off that to get a good result of 0.
Any machines which return above 0 are then visible together in a smart group as "out of security policy".
I think something like that would work, but I don't quite have time to bash it out myself this moment, if anyone wants to run with it, or is it flawed as an idea?
Posted on 07-26-2017 06:38 AM
@txhaflaire you're going to want to move away from ADPassMon per macmule's blog post - https://macmule.com/2017/04/01/adpassmon-is-dead-long-live-nomad/#more-2662 - as it is no longer being maintained.
We were using ADPassMon as well, but are in process of moving to NoMAD.