I know there is an account created when the device is enrolled into Jamf but we would like to create another admin account when the device is being enrolled and also to all the current devices we have enrolled. What is the best way to do this?
+4We have a policy running the following command in "Files and Processes" (edited for anonymity). This is a hidden account though, so you may need to edit a bit.
jamf createAccount -username adminuser -realname AdminUser -password AdminPassword –home /private/var/adminuser –shell “/bin/bash” -hiddenUser -admin
+8Here's the script we use to do this:
#Creates 'jamfadmin' user
dscl . -create /Users/jamfadmin
dscl . -create /Users/jamfadmin UserShell /bin/bash
dscl . -create /Users/jamfadmin RealName "jamfadmin"
dscl . -create /Users/jamfadmin UniqueID "401"
dscl . -create /Users/jamfadmin PrimaryGroupID 20
dscl . -create /Users/jamfadmin NFSHomeDirectory /var/jamfadmin
dscl . -passwd /Users/jamfadmin YourPasswordHere
#Creates home folder
mkdir /var/jamfadmin
chown -R jamfadmin /var/jamfadmin
#Makes 'jamfadmin' a local admin
dscl . -append /Groups/admin GroupMembership jamfadmin
#Hide user
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
#Gives SSH access to 'jamfadmin'
dseditgroup -o edit -n /Local/Default -u ExistingAdminAccount -P ExistingAdminPassword -a jamfadmin -t user com.apple.access_sshSetting the uniqueID to 401 and then hiding sub-500 users make the account hidden if you want that. If not, just delete those lines from the script and allow macOS to auto-assign the uniqueID.
+4@arpierson Would this work with Catalina? I need to run something like this on a few macbooks now because I just noticed the admin is not being created during enrollment anymore.
+8@valentin.peralta It seems that it doesn't work perfectly on Catalina, but still seems to get the job done. I haven't visited this script yet on our client machines on Catalina, but just tried it on my work Mac Mini. It threw a eDSPermissionError and reported that it failed to set the credentials, but the user did get created and I was able to log in with the account and password that I set in the script.
+4@arpierson Thanks for the prompt response. I will give it a try and see what happens. I have two new macbooks with no admin account for some reason. I need to use a workaround while they find the root cause.
+1This functionality is built into the Prestage Enrollment section in Jamf Pro. Here is a link to the discussion where I found this: https://www.jamf.com/jamf-nation/discussions/30574/local-admin-needed-before-user-account#responseChild201984
+5I use this script. Works like a charm.
sudo /usr/local/bin/jamf createAccount -username User -realname "HiddenAdmin" -password password -home /var/netadmin -hiddenUser -admin -secureSSH
Change all in bold to whatever you want.
You can do this directly in Polices within Jamf Pro now under "Local Accounts". https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Local_Accounts.html
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.