In lockdown mode, some services are disabled, and some services are accessible only to certain users.

Lockdown Mode Services for Different Users

When the host is running, available services depend on whether lockdown mode is enabled, and on the type of lockdown mode.

  • In strict and normal lockdown mode, privileged users can access the host through vCenter Server, either from the vSphere Web Client or by using the vSphere Web Services SDK.

  • Direct Console Interface behavior differs for strict lockdown mode and normal lockdown mode.

    • In strict lockdown mode, the Direct Console User Interface (DCUI) service is disabled.

    • In normal lockdown mode, accounts on the Exception User list can access the DCUI if they have administrator privileges. In addition, all users who are specified in the DCUI.Access advanced system setting can access the DCUI.

  • If the ESXi Shell or SSH is enabled and the host is placed in lockdown mode, accounts on the Exception Users list who have administrator privileges can use these services. For all other users, ESXi Shell or SSH access is disabled. Starting with vSphere 6.0, ESXi or SSH sessions for users who do not have administrator privileges are terminated.

All access is logged for both strict and normal lockdown mode.

Table 1. Lockdown Mode Behavior

Service

Normal Mode

Normal Lockdown Mode

Strict Lockdown Mode

vSphere Web Services API

All users, based on permissions

vCenter (vpxuser)

Exception users, based on permissions

vCloud Director (vslauser, if available)

vCenter (vpxuser)

Exception users, based on permissions

vCloud Director (vslauser, if available)

CIM Providers

Users with administrator privileges on the host

vCenter (vpxuser)

Exception users, based on permissions.

vCloud Director (vslauser, if available)

vCenter (vpxuser)

Exception users, based on permissions.

vCloud Director (vslauser, if available)

Direct Console UI (DCUI)

Users with administrator privileges on the host, and users in the DCUI.Access advanced option

Users defined in the DCUI.Access advanced option

Exception users with administrator privileges on the host

DCUI service is stopped

ESXi Shell

(if enabled)

Users with administrator privileges on the host

Users defined in the DCUI.Access advanced option

Exception users with administrator privileges on the host

Users defined in the DCUI.Access advanced option

Exception users with administrator privileges on the host

SSH

(if enabled)

Users with administrator privileges on the host

Users defined in the DCUI.Access advanced option

Exception users with administrator privileges on the host

Users defined in the DCUI.Access advanced option

Exception users with administrator privileges on the host

Users Logged in to the ESXi Shell When Lockdown Mode Is Enabled

Users might log in to the ESXi Shell or access the host through SSH before lockdown mode is enabled. In that case, users who are on the list of Exception Users and who have administrator privileges on the host remain logged in. Starting with vSphere 6.0, the session is terminated for all other users. Termination applies to both normal and strict lockdown mode.