Learn more about the "Demote user accounts to Standard" Parameter
What is the Demote User Accounts Parameter?
The "Demote user accounts to Standard" parameter changes all local accounts to standard users. This is particularly useful when you want to limit access to Administrator-level controls, such as for NIST compliance.
This Parameter is not compatible with SAP Privileges and the Privileges Checker script.
How the Demote User Accounts to Standard Parameter Works
During each agent check-in, the parameter will activate on Mac computers to verify the access level of all local accounts. If any local account, aside from the designated excluded admin, has admin privileges, it will be changed to a standard account. The user will then see a 30-minute countdown before the Mac restarts. After the countdown, the Mac will restart, and all non-excluded local user accounts will be set to standard users.Requirements
- The "Create User Accounts" Parameter must be enabled
- At least one user account must be excluded from demotion
Enabling The Parameter
Once you are in the Blueprint you wish to edit and have enabled the "Demote user accounts to Standard" Parameter, follow these steps to complete the configuration:
- Input the desired Administrator account shortname for the account you wish to exclude from demotion.
- Click Add Exclusion for to add additional accounts you would like to remain as Administrators.
- Click Save Parameters.
For more information on Parameters, see the Parameters section of our Knowledge Base.