This guide applies to Mac computers
About the Demote User Accounts Parameter
The “Demote user accounts to Standard” parameter changes all local accounts to standard users. This is particularly useful when you want to limit access to Administrator-level controls, such as for NIST compliance.This Parameter is not compatible with SAP Privileges and the Privileges Checker script.
How It Works
During each agent check-in, the parameter will activate on Mac computers to verify the access level of all local accounts. If any local account, aside from the designated excluded admin, has admin privileges, it will be changed to a standard account. The user will then see a 30-minute countdown before the Mac restarts. After the countdown, the Mac will restart, and all non-excluded local user accounts will be set to standard users.Requirements
- The “Create User Accounts” Parameter must be enabled
- At least one user account must be excluded from demotion
Enabling The Parameter
Once you are in the Blueprint you wish to edit and have enabled the “Demote user accounts to Standard” Parameter, follow these steps to complete the configuration:1
Input Administrator Account
Input the desired Administrator account shortname for the account you wish to exclude from demotion.
2
Add Additional Exclusions
Click Add Exclusion to add additional accounts you would like to remain as Administrators.
3
Save Parameters
Click Save Parameters.