JAMF Extension Attribute - Local Account Status

New Contributor



I'm looking for a way to setup an Extension Attribute to let us know when a local user account is locked out of their MacBook. 

I'm not seeing or know of a way to track in JAMF. The devices are not bound to AD. Currently in JAMF when I check the local user account and click on managed for that account, I only see the option to unlock it, but it doesn't say if the account is locked or not. 



Legendary Contributor III

This may help.


I can't test it ATM since I don't have a locked account on any device near me.

New Contributor

Hey @mm2270 ,


Thanks for the reply. In this scenario, our devices aren't bound to the domain, so I don't think we'd be able to utilize that lockoutTime line. 

Legendary Contributor III

Yeah, sorry, I didn't look closely enough at that to see that it was related to AD accounts.

So, do you have a local password policy applied to accounts? I assume yes, if the account can get locked from too many bad password attempts.

If so, you can try using the pwpolicy command. Something like pwpolicy -getaccountpolicies <account> or pwpolicy -authentication-allowed <account> might be able to give you what you're looking for.

Valued Contributor

Remember that the EA will only show you the status from the last time inventory was collected - which may affect your workflow.  (RIP Jamf Remote, looking forward to your return)