Help

Restrict Domain User Logins

rlambdin
New Contributor

Posted on ‎09-30-2016 07:21 AM

I would like to find a way to restrict who can login to my student MacBooks. In our building each student has their own MacBook that they use from day to day. I'm going to be adding them to the domain soon and just wondered if anyone knows an easy way to configure them so that only the initial student can login to the machine.

Currently each MacBook has a local account created that the students login to. Once I set them up for domain logins I need to delete the local account and I'd like to make it so that only the first domain user that logs in is able to from then on.

Labels:
0 Kudos
3 REPLIES 3

apizz
Valued Contributor

Posted on ‎09-30-2016 11:54 AM

Sounds like a big roll out.

My advice, keep the local account on the machine for now. God forbid something goes wrong with domain binding you at least have that.

I too have been looking to restrict precisely who can and cannot login to a particular machine. While I haven't personally fully tested this yet, in Configuration Profiles there is a "Login Window" payload which would allow you specify specific users and/or specific groups that can or can't sign-in. All you'd have to do is scope the profile to the machines you want.

84a15157af7f4cc6b40130bfc6daf745

0 Kudos

e029851
New Contributor

Posted on ‎11-09-2016 10:50 AM

I tried using this feature, but could only add under the "Allow" from a Staff Domain, when searching. I need to be able to add a local Admin account and a generic student account (from a Student Domain).
Any suggestions?

0 Kudos

Look
Valued Contributor III

Posted on ‎11-09-2016 12:40 PM

If you require a none config based solution...
Put the following script in a policy set to the login policy, scope Limitations to the users you want explicity to prevent, scope Exclusions to users you explicitly want to allow.
You might want to select Make available offline to ensure it runs when the JSS is not visible.
It's certainly a bit of a hack as it doesn't actually prevent login, just logs them back out again immediately, it's also rather old and hasn't been tested since we moved to Configuration Profiles, which means 10.11 and 10.12 have not been tested at all....

#!/bin/bash
if [ "$3" ]; then
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -heading "Access Violation" -description "Access to this computer is denied for the current username $3" -windowType fs &
sleep 5
kill $(ps -e -U $3 | awk '/loginwindow/ && !/awk/ { print $1 }')
killAll jamfHelper
fi
0 Kudos