What is the process (if any) for disabling other users ability to create local accounts on a macOS device (including local administrators)? An alternative would be also to disable local administrators ability to create local accounts entirely which is also fine, as we use Active Directory for authentication. I know in Windows I can use local and AD group policies to manage this on Windows systems but I'm not familiar with a local group policy application in macOS.
We centrally manage full disk encryption on our mobile estate and users creating their own logons on organisational devices is something we'd like to avoid.
Many thanks in advance.
Best Answer
You will need to use Apple MDM software to accomplish this.
Under macOS Supervised Restrictions, you can prevent users from creating accounts: