Help

JAMF Extension Attribute - Local Account Status

jefcor
New Contributor

Posted on ‎07-24-2023 11:24 AM

Hi,

 

I'm looking for a way to setup an Extension Attribute to let us know when a local user account is locked out of their MacBook. 

I'm not seeing or know of a way to track in JAMF. The devices are not bound to AD. Currently in JAMF when I check the local user account and click on managed for that account, I only see the option to unlock it, but it doesn't say if the account is locked or not. 

 

0 Kudos
Reply
4 REPLIES 4

mm2270
Legendary Contributor III

Posted on ‎07-24-2023 12:23 PM

This may help.

https://community.jamf.com/t5/jamf-pro/detecting-status-of-local-account-is-it-locked/m-p/193629

I can't test it ATM since I don't have a locked account on any device near me.

0 Kudos
Reply

jefcor
New Contributor

Posted on ‎07-24-2023 01:15 PM

Hey @mm2270 ,

 

Thanks for the reply. In this scenario, our devices aren't bound to the domain, so I don't think we'd be able to utilize that lockoutTime line. 

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎07-24-2023 01:55 PM

Yeah, sorry, I didn't look closely enough at that to see that it was related to AD accounts.

So, do you have a local password policy applied to accounts? I assume yes, if the account can get locked from too many bad password attempts.

If so, you can try using the pwpolicy command. Something like pwpolicy -getaccountpolicies <account> or pwpolicy -authentication-allowed <account> might be able to give you what you're looking for.

0 Kudos
Reply

pete_c
Contributor III

Posted on ‎07-25-2023 07:23 AM

Remember that the EA will only show you the status from the last time inventory was collected - which may affect your workflow.  (RIP Jamf Remote, looking forward to your return)

0 Kudos
Reply