Hi All. It’s another customer request blog! *does a little dance*
I recently had to update a script for a customer that I’d written a year or two ago. It seemed kinda helpful and I was surprised I hadn’t written up my notes on it at all, so here it is.
The customer had a number of Macs spread over various locations, but wanted to ensure only certain network users (Active Directory) could log into them. They already had a group in Active Directory for this task.
This option can be found (on directory bound Macs) in System Preferences > “Users & Groups” > “Login Options” > “Allow Network users to log in at the login window”.
This has three possible values:
- ‘Yes’ (ticked)
- ‘No’ (unticked)
- ‘Other’ (by clicking the “Options…” button you can specify what groups or users can login.
Now the challenge was how to automate the above.
Why not use a Profile?
This was my first thought. The customer is a Jamf Pro (formally Casper) customer, and so has access to a fully fledged MDM solution. Actually looking through the profile payloads, there is an option to do what we required under “Login Window” > “Access”.
Playing with these I hit two issues:
- The customer’s server was not on-premise and wasn’t linked to their Active Directory. The values in the above profile payload can only be populated by searching the live Directory within the profile / MDM server.
- This payload did not work at the time (OS X 10.11.2/.3), both in my testing and as discussed here. This also seemed to be the same when using a Profile Manager (*shudder*) produced profile.
So, with a sad face, I started looking at other options.
So after a lot of digging, research and throwing things at a test device (or three), I came across this Jamf Nation post by none other than Greg Neagle, detailing the minimum requirements for the setup. I’ll add that to the list of things I owe him a beer for 😉
I’ve taken the customer-specific script, and rewrote it to be more generic and this can be found on the Amsys GitHub pages, here.
Some gotchas around usage:
- Please test this in your own environment on non-production Macs!!
- Edit the ‘allowGroup’ variable on line 33 (here) with the name of the directory user group you wish to allow access to the Mac. I’ve left an example group called ‘AllowedMacUsers’ for you to replace.
- In testing, I found that by only adding the allow group, none of the local users could log in (including the local admin!). Set the variable on line 36 (here) as follows:
- ‘admin’ – if you want to only allow any local admins users to login, in addition to your allow group.
- ‘all’ – if you want to allow all local user accounts to login, in addition to your allow group.
- Another else (preferably ‘no’ or ‘none’)! – if you only want to allow the allow group to login, and no local users at all.
- The script will need to be run after the local Mac is bound to the directory system, otherwise it may fail to add the directory user group to the ‘allowed’ list.
- I’ve only tested this scripted solution on 10.11.x and 10.12.x. There’s no reason it shouldn’t work on newer OSes but I’ve just not got round to testing it!
How do I remove the restriction?
So you’ve had a play and changed your mind? Or perhaps the requirement has changed? How do you remove the restrictions above?
- Login into the Mac, launch System Preferences and go to “Users & Groups” > “Login Options”, tick the “Allow Network users to log in at the login window” option and logout.
- Or, run the command
dscl . -delete /Groups/com.apple.access_loginwindow
And there we go, I’ve detailed the solution I used to restrict access on macOS to a certain user group. Hopefully that’ll help some of you out! As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
The usual Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.