macOS Unlock Device Script

Problem Overview

Devices locked during emergencies or security incidents need a swift and reliable way to restore access once the threat is addressed. This script provides a straightforward solution by unlocking all local user accounts on a macOS endpoint, saving valuable time and effort.

Description

This script scans through all valid local user accounts on a macOS device and systematically enables each one. It works in tandem with our macOS Lock Device Script, allowing you to confidently lock down a device when necessary and then revert it to normal operation with a single command. Throughout the process, the device remains connected to Level, enabling full remote control and management.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-macos-unlock-device
10
11# Initialize script-scoped error flag
12script_errors=false
13
14# Function to enable all local user accounts (INCLUDING ROOT)
15enable_local_accounts() {
16    echo "Enabling all local user accounts (including root)..."
17    local_users=$(dscl . list /Users | grep -vE '^(Guest|nobody|_.*|daemon)$')
18
19    for user in $local_users; do
20        sudo pwpolicy -u "$user" enableuser &> /dev/null
21        if [[ $? -eq 0 ]]; then
22            echo "Local account $user has been unlocked."
23        else
24            echo "ALERT: Failed to unlock local account $user."
25            script_errors=true
26        fi
27    done
28}
29
30# Execute actions
31enable_local_accounts
32
33if [[ "$script_errors" == true ]]; then
34    echo "ALERT: Errors occurred during execution. Exiting with code 1."
35    exit 1
36else
37    echo "All users have been unlocked successfully."
38    exit 0
39fi

‍

Use Cases

• Restoring normal access after a security lockdown
• Re-enabling valid user accounts post-audit or compliance check
• Quickly returning stolen devices to normal use once recovered
• Coordinating security policy changes with minimal downtime

Recommendations

• Test this script in a controlled environment to ensure compatibility with your macOS endpoints
• Pair with the macOS Lock Device Script to easily toggle between lockdown and normal operation
• Consider using an Automation in Level with a schedule or tag trigger to re-enable accounts after a defined lockout period
• Verify that all necessary user accounts are re-enabled and that each user can sign in properly

FAQ

• Does this script remove any previous security restrictions beyond re-enabling accounts?
  ‍No. It strictly enables local user accounts that were disabled. Additional system-level controls remain unchanged.

• What if a user account doesn’t unlock?
  ‍The script will report if an account fails to unlock. Verify that the account name is valid and that no other system policy overrides are in place.

• Will this script work if the device was locked using other methods or third-party software?
  ‍It is designed specifically to reverse the account-locking actions of our macOS Lock Device Script. While it may unlock accounts restricted by similar means, it cannot guarantee unlocking for third-party security tools.