Preventing domain logins temporarily...lock screen?

jhuls
Contributor III

We're migrating from one AD domain to another here on campus. I'm developing two scripts to accomplish this.

First script unbinds, renames the computer to a new naming scheme, runs recon, and restarts.

Second script runs on startup if the computer has ran script one successfully and binds the computer to the new domain, sets the correct permissions and ownership for the user's home directories, run recon, and restarts.

During that second script I'd like to not allow domain users the ability to even attempt to login. If that modification of the permissions and ownership hasn't completed, they'll be hung trying to login and I'm trying to minimize the calls from failed logins.

Is there a good way to do this? Is there a way to lock the screen to accomplish this? Is there a better option?

2 REPLIES 2

mm2270
Legendary Contributor III

You could look at using jamfHelper for this. It can send up a fullscreen image (or just a black screen + some text) to prevent access to the Mac. The only issue is that it unfortunately responds to a Command - Q keyboard shortcut so a user could bypass it if they figured that out.

There are ways of using both the RemoteManagement ScreenLock command and jamfHelper together to truly lock down the screen.
You'd need to push those processes into the background to allow the script to continue to run, and then later kill those processes once its complete, to unlock the screen again.

For more on jamfHelper, run the following in Terminal:

/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -help

Also do some searches here for threads that show how to use jamfHelper in scripts, especially when talking about the fullscreen option.

blackholemac
Valued Contributor III

Was going to suggest jamfhelper before reading the post above. I agree with the poster Jamfhelper is the best way to achieve this.