Local Account Migration

You can connect existing local accounts network accounts using Jamf Connect's migration workflow.

The Connect existing local accounts to a network account (Migrate) setting is typically used when you want a user's existing local account to have the same username and password as the user’s network account.

When enabled, users must log in with their cloud identity provider (IdP) credentials, and then Jamf Connect will look for a matching local account. Consider the following scenarios that may occur when connecting an existing local account:

  • If a user's network username and password match a local username and password, the accounts are automatically connected. No additional steps are needed.

  • If a user's network username matches a local username but the passwords do not match, the user will be prompted to enter their current local password. Once entered, Jamf Connect will change the local password to match the current network password.

  • If a user's network username does not match any local account, the user can choose from a list of existing local accounts or create a new account. If they select a local account, the user must enter the password of a chosen existing local account, and then Jamf Connect will sync the password to the network password and add the network username as an alias to the local account. If the user wants to create a new account, they must click Create Account.

You can also prevent certain local accounts from being connected to a network account by specifying one or more local accounts with the Local accounts prohibited from network account connection (MigrateUsersHide) setting.

Notes:

  • To use this setting, the Require Network Authentication (DenyLocal) must be enabled.

  • For every successful network authentication of a user, the user’s record will be updated with the “NetworkSignIn” attribute. If a user only uses local authentication, this attribute will not be updated.

Account Migration Settings

Domain: com.jamf.connect.login

Description: Used to configure account connections between existing local accounts and network accounts.

Key

Description

Example

Migrate

Connect existing local accounts to a network account

Allow existing local accounts to be connected to a network account.

This setting is typically used when you want a user's existing local account to have the same username and password as the user’s network account.

When enabled, users must log in with their IdP, and then Jamf Connect will look for a matching local account.

Notes:

  • To use this setting, the Require Network Authentication (DenyLocal) must be enabled. For more information, see Network and Local Authentication Restrictions.

  • For every successful network authentication, the user’s record will be updated with the “NetworkSignIn” attribute. If a user only uses local authentication, this attribute will not be updated.

<key>Migrate</key>

<false/>

MigrateUsersHide

Local accounts prohibited from network account connection

A list of usernames of local accounts that are excluded from the migration process. These accounts will not be available during to user during the "Connect" step of the login process.

<key>MigrateUsersHide</key>

<array>

<string>admin</string>

<string>ladmin</string>

</array>

DemobilizeUsers

Demobilize Accounts

Determines if any existing Active Directory mobile accounts are demobilized, which is the process of converting a mobile account into a local account. Demobilization also removes the network authentication authority from the account.

Once demobilized, you can unbind computers from Active Directory.

Important: If you unbind from Active Directory before demobilization, demobilization may fail if a user's Active Directory password and IdP password do not match and Jamf Connect is configured to sync the passwords during account creation. Make sure you demobilize accounts before unbinding from Active Directory and that the Active Directory domain is reachable during account creation with Jamf Connect. For instructions, see the Demobilizing and Unbinding Mobile Accounts with Jamf Connect and Jamf Pro Knowledge Base article.

<key>DemobilizeUsers</key>

<false/>

Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.