We're in a scenario where we want to simplify how we can get new remote users up and running with laptops. Currently, our hardware support team sets up a webex, joins VPN, some other painful stuff, etc. What I'm working on is creating an application (so that non-standard admins can launch this) that will both create their user account and add them to file vault, then immediately log out and delete our temporary user.
In my thinking I came up with a combination of a few things, but starting with an AppleScript that can do a lot of this because I can set it as read only (and keep my service account name/password hidden and b) users can launch this without admin rights:
to getusername()
display dialog "Enter your User ID:" default answer ""
set userid to text returned of result
return {userid}
end getusername
to getuserpwd()
display dialog "Enter your password:" default answer "" with hidden answer
set userpwd to text returned of result
return {userpwd}
end getuserpwd
set userid to getusername()
set userpass to getuserpwd()
do shell script "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -v -e -n " & userid & " -p " & "'" & userpass & "'" user name "SERVICEACCOUNT" password "PASSWORD" with administrator privileges
do shell script "fdesetup add -usertoadd " & userid & " -p -keychain" with administrator privileges
delay (write text "'" & userpass & "'")I've seen people tackle the FileVault challenge a few different ways. Given our over security limitations, I have no way to create the .plist that everyone else seems to use that caches the user info and imports it. Thoughts? Am I going about this the wrong way? Anyone else have/had/solved this challenge?
Thanks.
