Local Account Migration

You can connect existing local accounts network accounts using Jamf Connect's migration workflow.

The Connect existing local accounts to a network account (Migrate) setting is typically used when you want a user's existing local account to have the same username and password as the user’s network account.

When enabled, users must log in with their cloud identity provider (IdP) credentials, and then Jamf Connect will look for a matching local account. Consider the following scenarios that may occur when connecting an existing local account:

  • If a user's network username and password match a local username and password, the accounts are automatically connected. No additional steps are needed.

  • If a user's network username matches a local username but the passwords do not match, the user enters their current local password. Jamf Connect will change that local password to match the current network password.

    • Your IdP must support ROPG, or "password grant," to use this method.

    • Google Cloud Identity does not support this grant so the user will see an "Invalid password" message. The user simply enters their local existing account password and the account migrates. Google Cloud Identity uses secure LDAP for password sync instead of ROPG, so after logging in through Jamf Connect, the user is prompted to log into Google Cloud Identity and change their local password to match their Google Cloud Identity password.

  • If a user's network username does not match any local account, the user can choose from a list of existing local accounts or create a new account. If they select a local account, the user must enter the password of a chosen existing local account, and then Jamf Connect will sync the password to the network password and add the network username as an alias to the local account. If the user wants to create a new account, they must click Create Account.

You can also prevent certain local accounts from being connected to a network account by specifying one or more local accounts with the Local accounts prohibited from network account connection (MigrateUsersHide) setting.

Additionally, the Hide "Create New User" option at migration (CreateNewUserHide) preference enables hiding the Create New User option from users during account migration. With this setting enabled, users are unable to disrupt account migration by creating a new account. This setting is not enabled (set to null) by default.

  • To use this setting, the Require Network Authentication (DenyLocal) must be enabled.

  • For every successful network authentication of a user, the user's record will be updated with the "NetworkSignIn" attribute. If a user only uses local authentication, this attribute will not be updated.