Local Account Management
Last Updated: May 2025
Implementation Effort: Medium – Admins must configure and assign enrollment profiles and optionally customize account settings during Automated Device Enrollment (ADE).
User Impact: Low – Local accounts are created automatically during setup; users don’t need to take action or make decisions.
Introduction
Managing local accounts on macOS devices is a critical part of securing the endpoint and enforcing consistent identity and access controls. In Intune, administrators can configure how local accounts are created, named, and managed during Automated Device Enrollment (ADE). This section helps macOS administrators evaluate their local account strategy to ensure it aligns with Zero Trust principles—particularly around identity assurance, privilege minimization, and lifecycle control.
This guidance applies to corporate-owned macOS devices enrolled via ADE, and in some cases, to BYOD devices where script-based controls are applicable.
Why This Matters
- Controls local admin rights and enforces least privilege.
- Standardizes account naming and creation across devices.
- Supports Zero Trust by ensuring consistent identity and access controls.
- Reduces risk of misconfigured or unmanaged local accounts.
- Improves auditability by aligning account creation with enrollment workflows.
- Enables remediation by allowing admin rights to be removed post-enrollment via script.
Key Considerations
Account Type and Privilege
- During ADE, Intune allows you to configure whether the first user account created is a standard or admin account.
- For Zero Trust alignment, it is recommended to create standard user accounts by default and elevate privileges only when necessary.
- If a user is provisioned with admin rights, you can deploy a shell script via Intune to demote the account to standard.
Account Naming
- You can define a fixed local account name or allow the user to choose during Setup Assistant.
- Standardizing account names can simplify scripting, support, and auditing.
Hidden Admin Account (Optional)
- Some organizations create a hidden local admin account during provisioning for IT use.
- This must be carefully managed and monitored to avoid privilege misuse.
- Intune does not natively support creating hidden accounts, but this can be done via custom shell scripts deployed post-enrollment.
Password Policies
- Enforce password complexity and rotation policies using device configuration profiles.
- Combine with FileVault to ensure that local credentials are protected by full-disk encryption.
Lifecycle Management
- Intune does not currently support automated local account removal or rotation.
- Use scripts to manage local accounts post-enrollment, including demotion or removal.
- Regularly audit local accounts on managed devices to ensure they align with policy.
BYOD Considerations
- While Intune does not control account creation on BYOD devices, scripts can still be deployed to demote local admin accounts to standard—provided the device is enrolled and script execution is permitted.
- This allows organizations to enforce least privilege even in user-initiated enrollment scenarios.
Zero Trust Considerations
- Verify explicitly: Ensuring that only authorized users have local access supports strong identity assurance.
- Least privilege: Creating standard user accounts by default and demoting admin rights when unnecessary reduces the risk of privilege escalation.
- Assume breach: Minimizing local admin access limits the blast radius of compromised credentials.
- Continuous trust: Regular auditing of local accounts helps maintain alignment with access policies over time.
- Minimized privileged access: Using scripts to manage account roles reduces the need for manual IT intervention and enforces policy at scale.
Recommendations
- Configure ADE profiles to create standard user accounts by default.
- Avoid granting local admin rights unless explicitly required for the user’s role.
- Use scripts to demote admin accounts post-enrollment, including on BYOD devices where applicable.
- Standardize local account names to simplify support and automation.
- Use scripts to create or manage hidden admin accounts if needed, and monitor their usage.
- Enforce password policies via configuration profiles and combine with FileVault for secure credential storage.
- Audit local accounts regularly to ensure compliance with Zero Trust principles.