Help

Restrict items on a specific Pane (Users & Groups)

Go to solution
osxadmin
Contributor II

Posted on ‎02-28-2017 03:33 PM

At the moment I have a configuration profile that restrict access to "Users & Groups" in "System Preferences", I would like to enable it just for the owner of the mac, with restrictions inside the pane "Users & Groups"
see picture for more details (I would like to restrict what's inside the red square), so I want the user to have access to "Users & Groups" but disabled the action to create or delete an account.
f6d7949a7ee24bedaa76e5161e7d5d85
29665e53c49f432e8fb4fbeee601203d

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎03-01-2017 08:56 AM

I'm trying to find out if its possible to restrict the options inside "Users & Groups".

@osxadmin Which options are you looking to manage? As @khey mentioned, using a Configuration Profile to manage some of the items under the Login Options section is possible, and it grays them out in when possible.

See the screenshot below. I'm logged in under my cached AD mobile admin account, with the pane unlocked, but as you can see, the items highlighted in red are grayed out because we manage those in a Configuration Profile. I'm not clear if the few items that aren't grayed out is because we aren't managing them or they aren't manageable however. I'd have to go back and look.

c24239b4c9ec4760b98e9830766b9000

However, you mentioned not wanting to allow them to create a new account, which I don't think you can block from a local admin. If someone knows of a way to actually block them from being created, other than running periodic scripts looking for unauthorized accounts and removing them, I'd be all ears on that.

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
khey
Contributor

Posted on ‎02-28-2017 09:44 PM

if you use configuration profile, users wont be able to change the settings even if they have admin access.

0 Kudos

Go to solution
osxadmin
Contributor II

Posted on ‎03-01-2017 06:45 AM

@khey correct.

I'm trying to find out if its possible to restrict the options inside "Users & Groups".

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎03-01-2017 08:56 AM

I'm trying to find out if its possible to restrict the options inside "Users & Groups".

@osxadmin Which options are you looking to manage? As @khey mentioned, using a Configuration Profile to manage some of the items under the Login Options section is possible, and it grays them out in when possible.

See the screenshot below. I'm logged in under my cached AD mobile admin account, with the pane unlocked, but as you can see, the items highlighted in red are grayed out because we manage those in a Configuration Profile. I'm not clear if the few items that aren't grayed out is because we aren't managing them or they aren't manageable however. I'd have to go back and look.

c24239b4c9ec4760b98e9830766b9000

However, you mentioned not wanting to allow them to create a new account, which I don't think you can block from a local admin. If someone knows of a way to actually block them from being created, other than running periodic scripts looking for unauthorized accounts and removing them, I'd be all ears on that.

0 Kudos

Go to solution
osxadmin
Contributor II

Posted on ‎03-01-2017 09:47 AM

@mm2270 that's part of what I'm trying to do

See the screenshot below. I'm logged in under my cached AD mobile admin account, with the pane unlocked, but as you can see, the items highlighted in red are grayed out because we manage those in a Configuration Profile. I'm not clear if the few items that aren't grayed out is because we aren't managing them or they aren't manageable however. I'd have to go back and look.

could you describe with details on how create that configuration profile, I'll really appreciated.

0 Kudos

Go to solution
osxadmin
Contributor II

Posted on ‎03-01-2017 09:53 AM

@mm2270 never-mind I didn't pay attention to the first part of your comment......thanks!

using a Configuration Profile to manage some of the items under the Login Options section is possible, and it grays them out in when possible.
0 Kudos

Go to solution
osxadmin
Contributor II

Posted on ‎03-01-2017 10:02 AM

@mm2270 that's part of what I'm trying to do

See the screenshot below. I'm logged in under my cached AD mobile admin account, with the pane unlocked, but as you can see, the items highlighted in red are grayed out because we manage those in a Configuration Profile. I'm not clear if the few items that aren't grayed out is because we aren't managing them or they aren't manageable however. I'd have to go back and look.

could you describe with details on how create that configuration profile, I'll really appreciated.

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎03-01-2017 10:46 AM

@osxadmin Are you using Configuration Profiles from the JSS? Those options are all under the Login Window payload.
Just a word of caution though, in the past, the login window payload in a config profile generated from the JSS sometimes stuck other settings in to the profile that you didn't explicitly enable, like the auto logout users setting, so look over all the tabs carefully, then do some testing with a couple of Macs to push any Login Window profile to to make sure its not messing things up.

Hope that helps get you on the right track.

0 Kudos