LOCAL ADMIN Account : once a macOS is enrolled you can run a shell script to remove all local admin account on that machine without having another admin account 🙂 Deploy this to all users using intune shell script and their admin priv will go away after the first logoff ! Run script as signed-in user = No

LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 😕 && ! /loginwindow/ { print $3 }' ) echo " $(date) | Remove Local Admin:"

$LoggedInUser dseditgroup -o edit -d $LoggedInUser -t user admin

You will endup having a macOS without any localAdmin.. (if the device is multi-user) 😄