Locked User Accounts

tgd
New Contributor II

Hi all,

 

i have a question about locked user accounts. Is it possible to deny complete access to a MacBook after the user has been locked in Microsoft Azure? We recently had a case where a user was locked out but still had access to his MacBook through his "local account".

Is this possible or do we always have to click on Lock Computer in Jamf?

3 REPLIES 3

dsavageED
Contributor III

If the mac has a local account, by definition it isn't using your domain services, so unfortunately yes you would need to lock the machine or use code: "pwpolicy -u $username disableuser"

tgd
New Contributor II

@dsavageED,

the mac is in our remote management so there should be no local account. Is there another solution then?

dsavageED
Contributor III

In more detail;

If the Mac is still checking in with jamf then you can create a policy to run the command I mentioned above, you can even force a logout.

Create a new policy - give it a name like lock login session, set trigger to Recurring Check-in, Frequency Once per computer

Files and Processes

Execute Command - "pwpolicy -u $username disableuser; killall loginwindow" where $username is the login of the user you want to disable.

Scope this policy to the Mac

Or more simply lock the Mac with the MDM command...