What about Local(Unix) user on IdM Joined Client

For a IdM joined Client/Host - is it possible to only allow login with a IdM identity and totally disable local unix users?

Or will it always be possible to sign in with local users e.g. local root account if you have physical console access?

On Windows domain joined computers LAPS can be configured as a part of AD to ensure the local administrator password (equivalent to root) is changed randomly - does IdM provide something similar?