Help

Adding Additional Management Account for SSH Use

Go to solution
sepiemoini
Contributor III
Contributor III

Posted on ‎05-31-2016 08:23 AM

We have a standard management account that we use which is deployed during imaging and at enrollment. A request has been brought forth to add a second management account. The Local Accounts and Management Accounts payloads do not seem to have this feature built-in. It is worth noting that the second account that is needed to have SSH functionality enabled is being added via a Self Service policy that is initiated by the user performing the imaging/deployment of the client machine. This policy adds that user as an administrator and as a FileVault 2-enabled user. Has anyone else implemented a similar workflow? If so, do you mind sharing what steps you took?

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
sepiemoini
Contributor III
Contributor III

Posted on ‎05-31-2016 09:58 AM

Great, thanks @mike.pinto!

What about just simply adding a Files and Processes>Execute Command in the account creation policy? 

sudo dseditgroup -o edit -t user -a <username> com.apple.access_ssh

View solution in original post

0 Kudos
Reply

Go to solution
sepiemoini
Contributor III
Contributor III

Posted on ‎05-31-2016 11:01 AM

And when I meant SSH access, I meant remote management! I added this as an Execute Command which did the trick.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users <username> -privs -all -restart -agent -menu

View solution in original post

0 Kudos
Reply
5 REPLIES 5

Go to solution
sepiemoini
Contributor III
Contributor III

Posted on ‎05-31-2016 08:52 AM

Looking into this approach right now: http://magervalp.github.io/CreateUserPkg/

Many thanks, @cshepp11!

0 Kudos
Reply

Go to solution
sepiemoini
Contributor III
Contributor III

Posted on ‎05-31-2016 09:02 AM

Hmmm, does anyone have a more streamlined approach? Perhaps via scripting? I should have added that this would be for OS X 10.11.5 deployments.

0 Kudos
Reply

Go to solution
mike_pinto
New Contributor III

Posted on ‎05-31-2016 09:28 AM

Couldn't you drop the package to create a user and then add them to the com.apple.access_ssh group in a postinstall?

0 Kudos
Reply

Go to solution
sepiemoini
Contributor III
Contributor III

Posted on ‎05-31-2016 09:58 AM

Great, thanks @mike.pinto!

What about just simply adding a Files and Processes>Execute Command in the account creation policy? 

sudo dseditgroup -o edit -t user -a <username> com.apple.access_ssh
0 Kudos
Reply

Go to solution
sepiemoini
Contributor III
Contributor III

Posted on ‎05-31-2016 11:01 AM

And when I meant SSH access, I meant remote management! I added this as an Execute Command which did the trick.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users <username> -privs -all -restart -agent -menu
0 Kudos
Reply