Local Account Migration
You can connect existing local accounts network accounts using Jamf Connect's migration workflow.
The Connect existing local accounts to a network account (Migrate) setting is typically used when you want a user's existing local account to have the same username and password as the user’s network account.
When enabled, users must log in with their cloud identity provider (IdP) credentials, and then Jamf Connect will look for a matching local account. Consider the following scenarios that may occur when connecting an existing local account:
-
If a user's network username and password match a local username and password, the accounts are automatically connected. No additional steps are needed.
-
If a user's network username matches a local username but the passwords do not match, the user will be prompted to enter their current local password. Once entered, Jamf Connect will change the local password to match the current network password.
-
If a user's network username does not match any local account, the user can choose from a list of existing local accounts or create a new account. If they select a local account, the user must enter the password of a chosen existing local account, and then Jamf Connect will sync the password to the network password and add the network username as an alias to the local account. If the user wants to create a new account, they must click Create Account.
You can also prevent certain local accounts from being connected to a network account by specifying one or more local accounts with the Local accounts prohibited from network account connection (MigrateUsersHide) setting.
Notes:
-
To use this setting, the Require Network Authentication (DenyLocal) must be enabled.
-
For every successful network authentication of a user, the user’s record will be updated with the “NetworkSignIn” attribute. If a user only uses local authentication, this attribute will not be updated.
Account Migration Settings
Domain: com.jamf.connect.login
Description: Used to configure account connections between existing local accounts and network accounts.
|
Key |
Description |
Example |
|
Migrate |
Connect existing local accounts to a network account Allow existing local accounts to be connected to a network account. This setting is typically used when you want a user's existing local account to have the same username and password as the user’s network account. When enabled, users must log in with their IdP, and then Jamf Connect will look for a matching local account. Notes:
|
<key>Migrate</key> <false/> |
|
MigrateUsersHide |
Local accounts prohibited from network account connection A list of usernames of local accounts that are excluded from the migration process. These accounts will not be available during to user during the "Connect" step of the login process. |
<key>MigrateUsersHide</key> <array> <string>admin</string> <string>ladmin</string> </array> |
|
DemobilizeUsers |
Demobilize Accounts Determines if any existing Active Directory mobile accounts are demobilized, which is the process of converting a mobile account into a local account. Demobilization also removes the network authentication authority from the account. Once demobilized, you can unbind computers from Active Directory. Important: If you unbind from Active Directory before demobilization, demobilization may fail if a user's Active Directory password and IdP password do not match and Jamf Connect is configured to sync the passwords during account creation. Make sure you demobilize accounts before unbinding from Active Directory and that the Active Directory domain is reachable during account creation with Jamf Connect. For instructions, see the Demobilizing and Unbinding Mobile Accounts with Jamf Connect and Jamf Pro Knowledge Base article. |
<key>DemobilizeUsers</key> <false/> |
Related Information
For related information, see the following:
-
Authentication Settings
Learn about the authentication settings used setup Jamf Connect with your cloud IdP. -
Network and Local Authentication Restrictions
Learn how manage network and local authentication with the login window.