Blocking user admin account login on MacOS
Many of us give our Mac users a separate administrator account for when they need to unlock settings, install software, etc.
But, they are not supposed to use that account to log in to the Mac - they are only supposed to log in with their standard user, then use their admin account to unlock when needed.
Logging in with user admin accounts can be blocked by using Outset and a script that runs at login, forcing a logout - but still allowing them to unlock when needed. Through a configuration profile, some admin users (e.g IT) are still permitted to log in when needed.
With Outset and the utexas-block-user-admin script installed, when an admin user that is not allowed logs in, they will see a full screen message (via jamfHelper) and then be logged out:
To set up User Admin Blocking:
CONFIG PROFILE
Create a Configuration Profile, e.g "SITE - Outset - Block User Admin - Settings"
In the config profile add Application & Custom Settings, Upload, and put in a plist like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disable</key>
<false/>
<key>UsernameMatch</key>
<string>.*</string>
<key>OnlyIfAdmin</key>
<true/>
<key>AllowedUsers</key>
<array>
<string>Jamf-Admin</string>
<string>engrla</string>
<string>wbaroni-admin</string>
<string>jdh7425-admin</string>
<string>vic66-admin</string>
</array>
</dict>
</plist>
Set UsernameMatch to a regex pattern - users who username matches the pattern will not be able to log in.
Examples:
all users: .*
users ending in -admin: ^.*-admin$
Set OnlyIfAdmin to only block the matching user if the account is actually an admin user.
WARNING: if you use ".*" as the pattern and set OnlyIfAdmin to false - NO ONE will be able to log in!
Change the list of AllowedUsers to match your IT admin users, and add any exceptions - users allowed to login with their admin account.
If you need to disable blocking user admin login, change Disable to true. Be sure to choose the "Distribute to All" option when saving the profile.
INSTALL
Next create a policy to install Outset and utexas-blockuseradmin-2.0 (both in Jamf packages)
Outset-4.1.2.21936.pkg
utexas-outset-blockuseradmin-2.0.pkg
Scope it to All Computers, or only those you want user admin blocking active on. Set it to install Once Per Computer.
Once Outset and block-user-admin are installed, user admin blocking is active.
NOTE: if Outset and the script are installed but the Config Profile is not yet on the computer, the following defaults apply:
Disable: false
UsernameMatch: ^.*-admin$
OnlyIfAdmin: false
AllowedUsers: Jamf-Admin
ALREADY IN USE ACCOUNTS
Some users may have initial (or later) started logging in with their admin account anyway, and have their email set up, documents, bookmarks set.
If their account is not an 'admin' name (e.g username-admin), you can just demote the user with Demote all unauthorized MacOS admin user accounts via Jamf
However if they are using their admin-named account, you can rename it to another username using script rename-user-account.sh which will preserve their settings, documents, etc.
It’s best to use rename-user-account.sh from ssh or terminal, rather than Jamf. You can download it from https://jamftools.engr.utexas.edu/scripts/rename-user-account.sh
It will rename the account and update the symlinks within to the new path. The user's password will remain the same. NOTE: before logging in to the renamed account, the Mac must be rebooted!