Help

Locked User Accounts

tgd
New Contributor II

Posted on ‎04-28-2023 12:20 AM

Hi all,

 

i have a question about locked user accounts. Is it possible to deny complete access to a MacBook after the user has been locked in Microsoft Azure? We recently had a case where a user was locked out but still had access to his MacBook through his "local account".

Is this possible or do we always have to click on Lock Computer in Jamf?

0 Kudos
Reply
3 REPLIES 3

dsavageED
Contributor III

Posted on ‎04-28-2023 02:20 AM

If the mac has a local account, by definition it isn't using your domain services, so unfortunately yes you would need to lock the machine or use code: "pwpolicy -u $username disableuser"

0 Kudos
Reply

tgd
New Contributor II

Posted on ‎04-28-2023 04:27 AM

@dsavageED,

the mac is in our remote management so there should be no local account. Is there another solution then?

0 Kudos
Reply

dsavageED
Contributor III
In response to tgd

‎04-28-2023 06:29 AM - edited ‎04-28-2023 06:29 AM

In more detail;

If the Mac is still checking in with jamf then you can create a policy to run the command I mentioned above, you can even force a logout.

Create a new policy - give it a name like lock login session, set trigger to Recurring Check-in, Frequency Once per computer

Files and Processes

Execute Command - "pwpolicy -u $username disableuser; killall loginwindow" where $username is the login of the user you want to disable.

Scope this policy to the Mac

Or more simply lock the Mac with the MDM command...

Reply