Skip to main content

Hello jamf nation,


We have 2 managed local administrator accounts on our Macs. One is the PreStage admin, which is created during the macOS Setup Assistant. This is the PreStage admin "hu", which is LAPS enabled. And we have the jamf management account "ja", which is also LAPS enabled.


We have now removed the PreStage admin "hu" from all devices, as we only wanted to have one admin on the devices. Since LAPS, we can now also use the jadmin, if necessary, to enter passwords in exceptional cases.


Unfortunately, the PreStage admin remains in the jamf Pro database and is displayed in the computer object. There is also still the option to display the LAPS password. If you display the Laps password, it ends with the Failed mdm command:


"SetAutoAdminPassword" - "Unable to find user with GUID '851D63DB-068A-4FCD-B650-709144FE6E20'"


Has anyone else removed the PreStage Admin and had the same experience or do you just leave the Admin and have 2 Admins on the devices?


 


missedited

In our environment, we typically leave the PreStage Admin. Some of our programs seem to call to that profile to run. We haven't had an issue before with leaving both on there. I will say from personal experience, I've had a LAPS password expire and not issue another proper password for the primary admin and had to rely on the PreStage admin instead. Though, it really comes down to your security team if they only want one admin per machine.

How did you delete the Prestage admin account? To verify if the account is still visible on the device, run the following command: dscl . list /Users | grep “hu”. 

 

I delete the admin account with a policy and the local accounts payload. the account does not exist on the machine anymore but jam pro thinks, that the managed local admin account is still there.

Do you still have the Account settings in the Prestage enrollment enabled

if yes, try disabling it and check the status.

 

We can’t disable prestage admin because we need them with skip account creation because we are using jamf connect 

We can’t disable prestage admin because we need them with skip account creation because we are using jamf connect 


Did you end up finding a solution for this? I'm also running into the same issue trying to delete the PreStage admin account

Hi @Jay_007,


Unfortunately, I haven't received any clear statements from Jamf support. I don't delete the prestage anymore.

Reply


Terms & ConditionsCookie settings