Posted on 01-08-2016 02:31 PM
We're in a scenario where we want to simplify how we can get new remote users up and running with laptops. Currently, our hardware support team sets up a webex, joins VPN, some other painful stuff, etc. What I'm working on is creating an application (so that non-standard admins can launch this) that will both create their user account and add them to file vault, then immediately log out and delete our temporary user.
In my thinking I came up with a combination of a few things, but starting with an AppleScript that can do a lot of this because I can set it as read only (and keep my service account name/password hidden and b) users can launch this without admin rights:
to getusername()
display dialog "Enter your User ID:" default answer ""
set userid to text returned of result
return {userid}
end getusername
to getuserpwd()
display dialog "Enter your password:" default answer "" with hidden answer
set userpwd to text returned of result
return {userpwd}
end getuserpwd
set userid to getusername()
set userpass to getuserpwd()
do shell script "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -v -e -n " & userid & " -p " & "'" & userpass & "'" user name "SERVICEACCOUNT" password "PASSWORD" with administrator privileges
do shell script "fdesetup add -usertoadd " & userid & " -p -keychain" with administrator privileges
delay (write text "'" & userpass & "'")
I've seen people tackle the FileVault challenge a few different ways. Given our over security limitations, I have no way to create the .plist that everyone else seems to use that caches the user info and imports it. Thoughts? Am I going about this the wrong way? Anyone else have/had/solved this challenge?
Thanks.
Solved! Go to Solution.
Posted on 01-11-2016 10:05 AM
I'm in the middle of something else at the moment so can't review this info, but I did so something similar a year or so ago. I've got a script (https://github.com/tmhoule/ProfileMigration) which will prompt for local admin credentials and will add a user to filevault. You should be able to pull the code you need from there.
Posted on 01-11-2016 10:05 AM
I'm in the middle of something else at the moment so can't review this info, but I did so something similar a year or so ago. I've got a script (https://github.com/tmhoule/ProfileMigration) which will prompt for local admin credentials and will add a user to filevault. You should be able to pull the code you need from there.
Posted on 01-11-2016 10:54 AM
@thoule Looking through your work and I THINK it'll solve my issue of not having the user's password to pass into the .plist file. Looking through your work, but it doesn't seem like you clean up the temp .plist that gets created? or am I wrong? (I know it's in /tmp/ but doesn't it still need to be removed since the users passwords are in clear text?
Posted on 01-11-2016 11:01 AM
... and it looks like something similar was done here - but not as the script editor created Application.