Local Account Migration

You can connect existing local accounts network accounts using Jamf Connect's migration workflow.

The Connect existing local accounts to a network account (Migrate) setting is typically used when you want a user's existing local account to have the same username and password as the user’s network account.

When enabled, users must log in with their cloud identity provider (IdP) credentials, and then Jamf Connect will look for a matching local account. Consider the following scenarios that may occur when connecting an existing local account:

  • If a user's network username and password match a local username and password, the accounts are automatically connected. No additional steps are needed.

  • If a user's network username matches a local username but the passwords do not match, the user will be prompted to enter their current local password. Once entered, Jamf Connect will change the local password to match the current network password. To use this method, your IdP must support ROPG authentication grants. Google Cloud Identity cannot use this workflow during account creations.

  • If a user's network username does not match any local account, the user can choose from a list of existing local accounts or create a new account. If they select a local account, the user must enter the password of a chosen existing local account, and then Jamf Connect will sync the password to the network password and add the network username as an alias to the local account. If the user wants to create a new account, they must click Create Account.

You can also prevent certain local accounts from being connected to a network account by specifying one or more local accounts with the Local accounts prohibited from network account connection (MigrateUsersHide) setting.

Additionally, the Hide "Create New User" option at migration (CreateNewUserHide) preference enables hiding the Create New User option from users during account migration. With this setting enabled, users are unable to disrupt account migration by creating a new account. This setting is not enabled (set to null) by default.

  • To use this setting, the Require Network Authentication (DenyLocal) must be enabled.

  • For every successful network authentication of a user, the user's record will be updated with the "NetworkSignIn" attribute. If a user only uses local authentication, this attribute will not be updated.