MacOS Managed Local Accounts: Friend or Foe? (With a New Friend in Town!)

Somesh Pathak -

The world of managing Macs just got a whole lot friendlier (or potentially foe-ish?) with the introduction of a new exciting feature: Managed Local Accounts. Announced at WWDC 2023 and released in Intune today with service release 2402, these features promise to revolutionize the way you handle Mac enrollment and administration. But before you jump in headfirst, let's explore their potential impact from both sides of the coin.

Friend: Managed Local Accounts

Say goodbye to the hassle of individual user accounts and hello to streamlined management! Managed Local Accounts allow you to pre-configure local accounts directly through Intune admin center. This means:

  • Simplified deployment: No more manual setup for each user. Assign pre-configured accounts instantly.
  • Enhanced security: Lmit privileges, and enforce other policies remotely.
  • Improved control: Manage account configured effortlessly.

Foe: Managed Local Accounts

While the benefits are undeniable, some things to consider are:

  • Limited User Privileges: User account ms created as standard user accounts lack admin rights, which can hinder tasks requiring elevated permissions like installing software or modifying system settings. As the Mac management ecosystem is still evolving, this can create friction for users and potentially require IT intervention for routine tasks.
  • No Official LAPS Equivalent: macOS doesn't have a built-in tool like Microsoft's LAPS for centrally managing local admin passwords. This means more complex password management and potential security risks if credentials aren't rotated regularly.
  • View-Only Remote Support: While Intune offers remote access to devices,it's limited to viewing the screen without interaction. This makes troubleshooting and assisting users more challenging, especially for issues requiring admin privileges.

New Friend Alert: Await Final Configuration

Joining the party is Await Final Configuration, a feature that releases the device to deaktop only when all the configurations and restrictions from Intune are applied installed/configured on the device. This means:

  • Enhnaced security: Setup Assistant will only release the device to deaktop once all configurations are installed before allowing user the access to the device.
  • Enhanced user experience deployment: User access the device which is fully configured and secured with all settings/configurations.

Decoding the Friend: Diving Deep into Managed Local Accounts

Now that we've introduced the dynamic duo of Managed Local Accounts and Await Final Configuration, let's delve deeper into the friend, Managed Local Accounts, and understand it before tackling its partner.

Understanding the Command:

The magic behind Managed Local Accounts lies in the AccountConfigurationCommand, which is pushed via Intune. This command enables Intune to remotely create and configure local accounts on macOS devices enrolled.

Here's a breakdown of the key elements involved in the AccountConfigurationCommand:

The Final Stretch: The Waiting Room

Now that we've explored power of Managed Local Accounts. Let's also understand: How the devices is released from the "waiting room" once everything is configured? This is where the ReleaseDeviceFromAwaitConfiguration command comes in, playing a crucial role in the final act of the Mac enrollment.

Await Final Configuration holds the device's desktop until it applies all the required policies and settings through the MDM solution. While it offers great control, users might experience a delay before accessing their devices. This is where ReleaseDeviceFromAwaitConfiguration steps in, allowing you to signal "showtime!" when everything is ready.

The MDM send the command to inform a device that it can allow the user to continue in Setup Assistant.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>RequestType</key>
        <string>DeviceConfigured</string>
    </dict>
    <key>CommandUUID</key>
    <string>0001_DeviceConfigured</string>
</dict>
</plist>

And when all the policies and settings are applied successfully, the device sends back a response to MDM to acknowledge.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CommandUUID</key>
    <string>0001_DeviceConfigured</string>
    <key>Status</key>
    <string>Acknowledged</string>
    <key>UDID</key>
    <string>00008020-000915083C80012E</string>
</dict>
</plist>

So it's like, you've carefully prepared the stage with Managed Local Accounts and added the finishing touches with Await Final Configuration. Now, ReleaseDeviceFromAwaitConfiguration raises the curtain, granting users access to their fully equipped and secure workspace.

Intune Configuration

  • In the Intune admin center, go to Devices > Enrollment.
  • Select the Apple tab.
  • Under Bulk Enrollment Methods, select Enrollment program tokens.
  • Select an enrollment program token.
  • Select Profiles > Create profile > macOS
  • Enter a name and description for the profile so that you can distinguish it from other enrollment profiles.
  • On the Management Settings page, configure Enrol with User Affinity & Modern Authentication.
💡
Await Final Configuration & Managed Local Accounts can only be used with User Affinity & Modern Authentication.
  • Toggle "Yes" for Await Final Configuration and click Next
  • On the Setup Assistant page, configure the Setup Assistant experience as per your organisation requirements.
  • On the Account Settings page, Select Yes to create local managed account during enrollment.
  • Toggle "Yes" for blocking users to change their username details.
  • Review changes and click Create to finish creating the profile.

End User Experience

Conclusion

Managed Local Accounts offer exciting possibilities for revolutionizing your Mac management landscape. Carefully weigh the benefits and considerations against your specific needs and environment. Remember, understanding your IT needs & impact of these features on end user impact is key to making informed decisions that empower your organization and users alike.

Stay tuned for the next blog, where I will take you the backstage where all this magic happens. The deep dive into backend process. Till then keep Mac-ing 😄