Local User Accounts Category

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

This category displays information about managed local administrator accounts, as well as other local user accounts on a computer.

Inventory information for managed local administrator accounts is collected by the jamf binary for computers enrolled via user-initiated enrollment or by the UserList MDM command for computers enrolled via Automated Device Enrollment.

Inventory information for local user accounts is collected by the UserList MDM command for computers with macOS 10.13 or later enrolled via Automated Device Enrollment. The Local User Accounts category information is populated by the jamf binary if computers do not meet the UserList MDM command requirements.

This information is only displayed if the Computer Inventory Collection settings are configured to collect it. For more information, see Computer Inventory Collection Settings.

Managed Local Administrator Accounts

Administrator accounts created by a Computer PreStage Enrollment or by the jamf binary during enrollment are considered to be managed. Jamf Pro can set unique randomized passwords for each account and only allow authorized Jamf Pro users to view a password from the inventory record.

Passwords for managed local administrator accounts are managed by the Jamf Pro local administrator password solution (LAPS). For more information, see the Local Administrator Password Solution for Jamf Pro technical paper.

Inventory Attribute/Criteria

Notes

UID

If a managed local administrator account does not have a UID value, the account is no longer being reported as present on the computer.

Username

Source

Accounts created by MDM during Automated Device Enrollment will list "PreStage" as the source. Accounts created based on user-initiated enrollment settings will list "jamf binary" as the source.

Password

Click View to display the password. LAPS will automatically rotate the password.

Note:

If MDM LAPS is not enabled, managed local administrator accounts created via PreStage enrollment will not display a password. If password randomization is enabled for accounts created via PreStage enrollment, the password can be viewed in the UI.

Local User Accounts

This information is only displayed if the Computer Inventory Collection settings are configured to collect it. For more information, see Computer Inventory Collection Settings. The following table lists the Local User Accounts category inventory attributes that you can view for a computer:

You can access commands to remotely unlock a local user account, or remotely remove a local or mobile user account by clicking Manage for a user. For more information, see Remote Commands for Computers.

Inventory Attribute/Criteria

Notes

UID

Username

Password Type

Only displayed if Jamf Pro can identify the user account type (e.g., “Local", “LDAP", or "Mobile LDAP")

Minimum Passcode Length (Required Passcode Length criteria)

Maximum Passcode Age

Minimum Number of Complex Characters

Password History

Full Name

Admin

Home Directory

Legacy FileVault Enabled

FileVault 2 Enabled

User Azure Active Directory ID

Unique identifier within Microsoft Entra ID for users that registered their computers with Entra ID. If the user registers many local accounts or multiple computers, their User Azure Active Directory ID is always the same.

Computer Azure Active Directory ID

(Legacy Conditional Access integration) Unique identifier within Microsoft Entra ID for the computer local account. The Computer Azure Active Directory ID is unique across each computer and each local user account. Every time a user registers a computer with Entra ID that local account will be given a unique identifier.

Conditional Access Inventory State

Displays one of the following values when the legacy macOS Intune Integration is enabled:

  • "Activated"—Computer is registered with Entra ID and regularly checks in with Jamf Pro.
  • "Unresponsive"—Computer has not checked in with Jamf Pro in the last 24 hours using the standard Jamf Pro check-in process, or the computer has not checked in with Microsoft Intune in the last 24 hours. Unresponsive devices are marked "non-compliant" after the validity period passes. (The validity period is specified in the "Compliance status validity period (days)" setting in Microsoft Intune. Default is 30 days.)
  • "Deactivated"—Computer is no longer registered with Entra ID

Device Compliance Integration - Compliance Status

Criteria available only for creating smart groups to monitor for non-compliant computers as part of a Microsoft Entra device compliance integration.

You can also look up compliance information via the Jamf Pro API. For more information, see Get compliance information for a single computer device in the Jamf Developer Portal.

Device Compliance Integration - Registration Status

Compliant

Displays one of the following values within Microsoft Entra ID for each registered device:

  • Yes— The device has been registered with Entra ID and has a status of compliant in Jamf Pro.

  • No— The device has been registered with Entra ID and has a status of non-compliant in Jamf Pro.

  • N/A— The device has been registered in Entra ID but compliance status has not been received by Jamf Pro.

Scheduled Tasks (criteria only)