Skip to main content

We don’t have ldap integration yet.

So when we automatically enroll a computer (when new or wiped) the first user account is always admin. Which is impractical if the machine is shipped directly to the user.

We create our admin user at prestage enrollment. or should the admin account we are about to use for troubleshooting etc be created using a configuration profile? What is the best practice i’m asking.

In any way, after wipe or at first boot, the user that gets created WILL be created with admin rights. My question is if there is a way to create the first user with user-only rights as we create our admin account way before this step.

Thanks

So this can be configured in the pre-stage policy.

Under Account settings is where you create your local admin, whcih can also be configured for LAPS.

Recommend you select hide.

 

Then you have a local user account type

Select “Standard Account” which will create the user created at the setup assistant as a standard user

The first user account (501) on macOS must be an admin, you cannot setup macOS without at least one admin account present. This Windows has this same requirement.

 

Use the prestage to create your local admin account, and macOS will create the user (502+) as a standard user account.

Terms & ConditionsCookie settingsAccessibility statement