Jamf Nation Community

Thanks for your reply. I tested this on an iMac but it didn't bring these options up. It just logged in like normal and nothing is different. I wonder if that only works for laptop internal keyboards or something.

You need to be an admin

holding the option key should bring the same dialog for admins

I tried both the option key and the shift key as a local admin account and those didn't do anything different. Any other ideas? Thanks!

I think that I have found it was something just wrong with how this one computer got imaged. I imaged another one the same way and root could access everything in System Preferences.

If anyone knows a keyboard shortcut that would work for other admin accounts, please reply still. Thanks!

Make sure you have this payload enabled under finder - Computer administrators may refresh or disable management

Hi Myron, I don't see that option under the Finder section. Could you attach a screenshot of that?

Thanks!

I have problems with all our devices with Shift or Option. My TAM has advised this is still a defect problem.

D-005882 - Disable Management login options. Appeared in 9.21 and still open. JAMF opened a ticket with Apple #15595754. If someone knows if this has been fixed and not documented, I'd love to know. Still an issue with 9.65.

Odd part is, we still have a secondary MDM in place for some Apples and it does not have this problem. Not sure how this is Apple defect when it works ok with one MDM and not the other.

"Computer administrators may refresh or disable management" used to work well in 10.6 and earlier. I have had mixed success with recent OS versions. I can get the message to appear but the choice is ignored.

Thanks everyone, I did find it on mine and I will try this in the future. It is good to know that option is there at least.

I - I'm new to Casper but long user of MCX finally converting over. I'm testing things. Like this one. Any updates?

Also some clarity of details. This bypass was originally just for MCX settings. Now we have Profiles. Is this option/left shift key at login for admin accounts a bypass for Profiles such as those Casper sends out?

@smkolins This option does work with Profiles but there is a defect I posted above. The work around is in the same Login Window profile option, go to the Script tab and uncheck both Login and Logout boxes. Once this update to the profile is pushed, you can then use the shift key and click on the -> arrow to disable settings when logging in as the admin.

You can also upload a custom com.apple.loginwindow plist that includes AdminMayDisableMCX=true and it works like a charm.

Here's ours
{AdminMayDisableMCX=true, IncludeNetworkUser=false, HideLocalUsers=false, SHOWFULLNAME=true, HideMobileAccounts=false, LoginwindowText=Staff, DenyList=[], DisableAutoLoginClient=true, SHOWOTHERUSERS_MANAGED=true, EnableExternalAccounts=false, TALLogoutSavesState=false, RetriesUntilHint=0, UseComputerNameForComputerRecordName=false, AllowList=[], DisableConsoleAccess=true, ShutDownDisabled=false, AdminHostInfo=HostName, HideAdminUsers=false}

Perhaps my problem is more complex. I have a computer in a simulated public setting. Standard users and a local admin account to do configuration and special case work. I want that local admin account unmanaged but the general accounts highly managed. For example I have a Configuration profile restricting most system preferences and there are other settings as well. I also use a MCX setting of a set desktop picture since there doesn't seem to be that option in Profile Config. Then I also have set a configuration profile to allow local admins to bypass profiles/mcx. O and yes the login hook scripts and logout are unchecked.

The computer is scoped to get all these settings. BTW the computer is running Yosemite - we have a few minor incompatibilities with Capitan we expect to get pass this year.

The prompt comes up and I can ask to have settings disabled. But they don't disable. And though many of the settings for standard users takes hold some do not.

Is there are more global setting or perhaps the order of the profiles matters? Or am I violating some rule of processing such settings? Or does one failing configuration cause others to fail?

Perhaps it is a more general question in layering on settings? One profile config applies the "user may press shift..." which another grants allowing the shift key AND this option for "computer administrators may refresh or disable…"

Or back in the day there were times MCX commands just failed to clear right so there were scripts to clear cached settings. Is there a way to do that in Casper-managed-profiles-and-MCX-settings?

With the custom com.apple.loginwindow plist it would by default apply to all non admin accounts, and on the local admin account you could check the box to disable settings for this account and don't prompt on every login. Should work ok.

Thanks CasperSally... I've not taken that approach yet partly because since I'm new to casper. And in this context I'm wondering about overlapping settings. Replacing the entire plist file seems a bigger deal than one setting in that plist file. Different configuration profiles might set different settings. I was hoping one setting for admin bypass would be a simple setting that would step on other profile management settings without having to change every plist control of that account.