Restart Mac with others logged in, without an admin account

mdonovan
New Contributor III

We have multiple dual-boot classrooms where students wanting to restart into Windows are prevented by the OSX admin prompt because other accounts are logged in.

Has anyone come up with a way to get around this, so that standard users (students with AD accounts) can restart a Mac without having to force shut-down?

13 REPLIES 13

mm2270
Legendary Contributor III

Given that this would only happen when Fast User Switching is enabled, I have to assume that function is on on your Macs. Is there a requirement to leave that on? Do your students need to be able to fast user switch? If not, I would say the easiest way to stop this would be to turn that off and keep it disabled with something like an MCX settings or Config Profile.

If that isn't an option for you, you should be able to create a Self Service item that would run a script with admin rights to reboot the Mac.

mdonovan
New Contributor III

Thanks for the response. Yes, fast user switching is enabled, but even if it was turned off, users leaving themselves logged in and then walking off, the next user that comes along still has the same problem. This does however make it easier for us to restart the machine if 'user x' has been inactive for 'y minutes', which is probably a better line of thinking in trying to overcome this problem.

I'd still be keen to hear of anyone elses experiences in this situation.

ahambidge
New Contributor II

@mdonovan, I think @mm2270 is right on the money - craft a script that you can put in Self Service that will force reboot the Mac to the Windows partition. I'm not sure entirely how you would script that (my scripting skills are pretty limited in this regard), but it's doable. I'll play around with something and see if I can come up with something.

mdonovan
New Contributor III

Thanks Andrew. However, I think I should clarify the earlier premise. I am talking about when a user walks up to a Mac, sees the login window, but when clicking Restart at the bottom of the screen, an OSX window appears in the middle of the screen asking for an admin username & password to be entered to allow the restart of the Mac to occur despite other users being logged in.

A Self-Service item in this situation would not be of any help as a user would need to be logged in first.

* Apologies, yes, they could log in and then open Self-Service, but this is outside the scope of what we are trying to achieve, in that the process has to be as transparent and hassle-free as possible for students.

ahambidge
New Contributor II

@mdonovan, ah, I see now. I misread your need; thank you for clarifying. That's a puzzler, and not sure it's one I can answer with my skillset. I'll ask around my workplace though, see if anyone has come up with a solution or something similar that may work for you.

talkingmoose
Moderator
Moderator

The first step is to disable Fast User Switching as @mm2270 mentioned. A Standard OS X user cannot log out someone else.

A Standard OS X user also cannot unlock someone else's locked session and he can't access any tools to let him do this while the screen is locked under someone else's credentials.

Therefore, the user must push the power button and crash the computer. Not desirable. You must think of an incentive to get the previous user to log out or set a very short time to automatically log out someone when the computer is idle.

A long time ago, the management for one of my groups had me modify the authorization database to allow a Standard user to unlock other Standard user accounts. It was a stupid idea and not one I'd recommend ever doing for security and HR reasons. But it worked.

spotter
New Contributor III

Have you tried to create a Configuration Profile with

Login Window
and set the
Log out user after: XX minutes of inactivity

tijones
New Contributor II

Hey Mark,

I think the setting that controls this is in here

security authorizationdb read system.restart

maybe set it to allow all users like this and see what happens (this is possibly not the best way to allow all users)

security authorizationdb  write system.restart allow

dwdyke
New Contributor

Is there a way of removing 82b8ad80c36b4c1f898452a4874017ad Sleep and Log Out User ID so the only choices are to restart or shutdown? Our students seem to choose log out and that creates the admin box for the next user. I have not seen it if they restart or shut down. Any help would be welcomed.
Thanks,
Don

slemp
New Contributor

@tijones's note works great for me in Mojave - very helpful in a lab setting. This causes the computer to restart whenever you click restart without prompting for authentication (or notifying you that someone else is logged in, for that matter).

sudo security authorizationdb write system.restart allow

Also, you can allow the ability to shutdown by writing the same 'allow' preference to the system.shutdown domain.

sudo security authorizationdb write system.shutdown allow

I'm not sure of the significance, but when you do this, you are changing the from a 'evaluate-mechanisms' class to a 'rule' class for the entry in the authorizationdb. (https://scriptingosx.com/2018/05/demystifying-root-on-macos-part-4-the-authorization-database/). Is there a way to maintain the evaluate-mechanisms class and do this?

kwoodard
Valued Contributor

I know this is an old thread, but I have a need for this. @slemp's script works if I send it out via ARD. I have the script saved as a "Script" in Jamf, have a policy set to run it on every computer, yet it fails. Any idea as to why?

#!/bin/bash
sudo security authorizationdb write system.restart allow
sudo security authorizationdb write system.shutdown allow

wifichallenges
Contributor II

Since this thread is old, is there now a built in way to do this in jamf? or do i have to apply this preference somehow. Would love to have users be able to restart their machine with zombie users!!!

 

i already have set "logout users after 30 minutes" but i guess its not working or something? becuase i still run into this fairly frequently.

wifichallenges
Contributor II

Not sure why i never did this back in 2022, but this came up again. Specifically due to garageband, which apparently if some other user is idle and running it, will not let another user run the same program....

Since the second user cannot log off the first user, and cannot restart the machine, they powercycle it hard... not cool.

Anyways the commands are actually as follows, make a policy and make a script with the following. This is why it did not work for kwoodard i am pretty sure. I have several scripts and they all follow the same syntax:

 

/usr/bin/security authorizationdb write system.restart allow
/usr/bin/security authorizationdb write system.shutdown allow

 

i guess i was waiting to see if jamf had this built in yet and then forgot about it because we dont have too many macs and no one complained about it, they just power cycle them all the time.... 

 

The above does work, i just tested it. Set the policy to recurring checkin run once per machine and done.