Help

Reset of macOS with O365

Go to solution
romano_rosinski
New Contributor

3 weeks ago

Dear Nation 

I have quite tricky question: 

So we are using our Macbooks with Jamf Connect. Jamf Connect ist connected to our Azure tenant, so we can use SSO at the first login. See below:

Greenshot 2025-06-25 10.53.49.png

 

 

 

 

 

 

 

 

 

 

After the login is successful, a local user account is created on the Macbook and the user can work completely fine. 

Now the question is: if the user leaves our company and is still logged in to the Macbook, how shall we proceed here? This specific question is for our offices abroad. 

I know that I can just send the remote wipe command and get that OOTB experience again but I was wondering if there is an easier way? The problem is that you have to manually logout properly in order to get that SSO login again. But if the logged-in user left the company already, there is no chance to logout properly. Our Macbooks are also NOT domain-joined, so we can't just reset the password and log in and then log out. 

I hope that my question and use case is easy to understand. :D 

Thanks a lot in advance for sharing your thoughts/solutions. 

Best, 
Romano 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
sdagley
Esteemed Contributor III
In response to romano_rosinski

3 weeks ago

@romano_rosinski Yes. Also be aware that with FileVault enabled even if you have a wired network connection you will have no management access to the Mac until after a user has logged in locally because macOS isn't fully running until then.

View solution in original post

Reply
8 REPLIES 8

Go to solution
PaulHazelden
Valued Contributor

3 weeks ago

You will have to test this...
If you navigate to the Mac in question in Jamf Pro, and then look for the local user accounts in the inventory for the device. You can do some management from there, you can unlock an account and remove an account. Unlock probably won't help you, but removing an account might. Although I have never tried removing an account that is active, it might fail. But if you can get it to the log in screen, maybe a restart, or a script, it will remove the account. It is pretty quick too, so long as the device is active on a network.

killall -HUP loginwindow

Will log out any logged in accounts.
Not sure if that will give you back the SSO login.

Paul

0 Kudos
Reply

Go to solution
odu
New Contributor

3 weeks ago

@romano_rosinski

Firstly, your options are dependent on the computer having an internet connection. I would suggest any of the following:

 

  1. Log out the user:
    1. Create a simple policy to run the following command: sudo launchctl bootout user/$(id -u <username>)
    2. During the next check-in, the user will be logged out.
  2. Restart the computer:
    1. Create a simple policy to run the command: sudo shutdown -r now
    2. During the next check-in, the computer will restart.
  3. Send a PIN code:
    1. Alternatively, You can send a PIN code to lock the computer by adding the user to a static group scope for the MDM command.
0 Kudos
Reply

Go to solution
romano_rosinski
New Contributor

3 weeks ago

@PaulHazelden @odu 

Thanks for replying so fast. 

I've actually tried both solutions but none of them works (yet). 
It seems that the Macbook does not have a proper WiFi connection in the lock screen and I also can't connect to a WiFi (due to the icon missing in the top right corner). 

The corporate WiFi we deploy with a Config Profile has also the checkbox activated:
"Use as a Login Window configuration // User logs in to authenticate the Mac to the network"

0 Kudos
Reply

Go to solution
sdagley
Esteemed Contributor III
In response to romano_rosinski

3 weeks ago

@romano_rosinski If you have FileVault enabled there isn't going to be an option to connect to Wi-Fi until a user with a FV enabled account enters their credentials directly on the Mac.

0 Kudos
Reply

Go to solution
romano_rosinski
New Contributor

3 weeks ago

@sdagley 
So this means in order to be able to connect to Wi-Fi after the boot, I'd have to disable FileVault in the first place? 

0 Kudos
Reply

Go to solution
sdagley
Esteemed Contributor III
In response to romano_rosinski

3 weeks ago

@romano_rosinski Yes. Also be aware that with FileVault enabled even if you have a wired network connection you will have no management access to the Mac until after a user has logged in locally because macOS isn't fully running until then.

Reply

Go to solution
romano_rosinski
New Contributor
In response to sdagley

3 weeks ago

Thank you for clarifying this - this puzzle piece was missing in my understanding. 

Disabling Filevault is not an option in our environment, so there we'll have to find another way around. 

0 Kudos
Reply

Go to solution
easyedc
Valued Contributor II
In response to romano_rosinski

3 weeks ago

If they're FV enabled and you're trying to get to a clean/wiped OS without the password, restore via Apple Configurator may be your easiest choice.  

0 Kudos
Reply