When you remove access to a Mac from a user in JumpCloud, JumpCloud will disable, rather than delete that user. This preserves all user account information and files, but in Mac, disabled users no longer appear at either the login screen or in Users & Groups Preferences.
- You must have a local admin or root account to execute the following commands.
- You must be root for the below commands to function properly.
- For any user that also had FileVault enabled, they will need to also be re-added to FileVault. See Create a Mac FileVault 2 Policy.
Verifying User Status
To list non-system user accounts (active or disabled), run the following command:
# dscl . -list /Users | grep -Ev "^_|com\..*|root|nobody|daemon|\/"
To read macOS's AuthenticationAuthority status for a user, you need to switch to root to properly re-enable the user.
To switch to root shell in macOS Terminal, run the following command: sudo -i
To determine if a specific user is disabled, run the following command. A null or empty result indicates the user isn't disabled:
# dscl . -read /Users/USERNAME AuthenticationAuthority | grep DisabledUser
The following is an example of output for a disabled user:
Re-Enabling Disabled Users
Replace USERNAME with the actual username in the following commands.
To re-enable the user account, run the following command:
- If running as root from the JumpCloud Command Runner role, use:
dscl . -read /Users/USERNAME AuthenticationAuthority | sed 's/AuthenticationAuthority: //;s/DisabledUser//g;s/[; ]*$//' | xargs dscl . -create /Users/USERNAME AuthenticationAuthority
- If running the command locally on the device, use:
sudo dscl . -read /Users/USERNAME AuthenticationAuthority | sed 's/AuthenticationAuthority: //;s/DisabledUser//g;s/[; ]*$//' | xargs sudo dscl . -create /Users/USERNAME AuthenticationAuthority
To change the shell from /bin/disable to /bin/bash, run the following command:
chsh -s /bin/bash USERNAME
- You can use chsh to set a different default shell rather than bash. It needs only to not be set to /usr/bin/false. After the command executes, the disabled user should reappear in both the login screen and Users & Groups Preferences. You may need to close and re-open System Preferences if the user doesn’t immediately appear.
- The password for the user you’ve re-enabled will be the last password before the account was disabled. If you need to reset the user’s password, use System Preferences as the local admin to change the password.