Allow Local Only Account Login

Published May 27, 2019 / 260 words / ~2 minutes to read

There are times when you may want to only allow local account logins, but also bind to a directory service like AD. Though mobile accounts are a thing of the past and should be avoided, binding in your environment could still have a place. For example, for certificate services or security compliance.

To be clear, I still highly recommend using local accounts on Macs whenever possible. However, AD and its associated services aren’t the problem. It’s directly authenticating user accounts using the built in macOS LDAP plugin that is.

Generally speaking a workflow like this can be used to provision local accounts using NoMAD Login (or Jamf Connect) and still keep a Mac bound for non-account authentication purposes. The result is a bound Mac where there’s no risk of authenticating to a directory service. In situations where users aren’t local admins this also gives more control over what user accounts exist on a Mac. That is, only the local accounts admins provision will exist. There’s no possibiltiy that single user machines will have multiple LDAP mobile accounts created as other users log in.

DEP enrollment > bind to LDAP > provision local account with NoMAD Login > allow local only accounts

This short script can be used to enable local only logins. The first line creates a new com.apple.access_loginwindow group, and then sets that group as allowed on the local OD node. I’m successfully using this today in my current environment.

#!/bin/bash

dseditgroup -o create -q com.apple.access_loginwindow
dseditgroup -o edit -n /Local/Default -a "localaccounts" -t group com.apple.access_loginwindow

exit $?

https://github.com/nstrauss/macos-management-scripts/blob/master/allow_localonly_login.sh