Best way to create hidden admin account

johnklimeck
Contributor II

Under Management > Polices one can create a policy that create a new admin account.

How can this account then become hidden in OS X, Sys Prefs > Users & Groups, as to prevent users from seeing / and or deleting the account.

Thanks in advance.

John

2 ACCEPTED SOLUTIONS

ernstcs
Contributor III

Instead of using the interface to create the account you could use a command line to create it with the binary.

/usr/sbin/jamf help createAccount

There is an option in there for -hiddenUser

You could also start a feature request for having the make user hidden (an ID under 500) added to the policy interface of the JSS and Casper Remote.

View solution in original post

rtrouton
Valued Contributor III

You can use the jamf binary for this. Here's the current options as of 8.62:

Usage:   jamf createAccount -username <username> -realname <Real Name> 
         [-password <password>] [-passhash <passhash>] [-home </path/to/home/directory>] 
         [-hint <hint>] [-shell <shell>] [-picture <picture>]
         [-admin] [-secureSSH] [-hiddenUser] [-networkUser]

     -username       The user's user name 

     -realname       The user's real name

     -password       The password of the user

     -passhash       The hashed password of the user

     -home           The location of the user's home directory

     -hint           The hint displayed to the user

     -shell          The user's default shell

     -picture        The user's picture for the Login window

     -admin          This flag adds the user to the admin group.

     -hiddenUser         Creates an account with a UID under 500 and hides it

     -networkUser        Creates an account with a UID over 1025

     -secureSSH          Modifies the /etc/sshd_config file to lock out all other users 
                 In Mac OS X 10.5 and later, the group com.apple.ssh_access is modified instead of sshd_config.

View solution in original post

17 REPLIES 17

ernstcs
Contributor III

Instead of using the interface to create the account you could use a command line to create it with the binary.

/usr/sbin/jamf help createAccount

There is an option in there for -hiddenUser

You could also start a feature request for having the make user hidden (an ID under 500) added to the policy interface of the JSS and Casper Remote.

jacob_salmela
Contributor II

I am certain there are other ways to do this, but this is how I have typically done it (I last used this on 10.6). There is probably a way to set the User ID and stuff via the Terminal, too. This is just the way I have always done it:

  1. Open System Preferences > Users & Groups
  2. Control-click the admin user (secretadmin in this example)
  3. Choose Advanced options...
  4. Change the User ID to 499
  5. Change the Home Directory path to a hidden folder, such as /var/.secretadmin
  6. Open Terminal
  7. Enter the following commands:
    sudo mv /Users/secretadmin /var/.secretadmin
    sudo chown -R secretadmin /var/.secretadmin
    sudo rm -R /var/.secretadmin/Public
    sudo rm -R /var/.secretadmin/Sites
    sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
    sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array secretadmin

rtrouton
Valued Contributor III

You can use the jamf binary for this. Here's the current options as of 8.62:

Usage:   jamf createAccount -username <username> -realname <Real Name> 
         [-password <password>] [-passhash <passhash>] [-home </path/to/home/directory>] 
         [-hint <hint>] [-shell <shell>] [-picture <picture>]
         [-admin] [-secureSSH] [-hiddenUser] [-networkUser]

     -username       The user's user name 

     -realname       The user's real name

     -password       The password of the user

     -passhash       The hashed password of the user

     -home           The location of the user's home directory

     -hint           The hint displayed to the user

     -shell          The user's default shell

     -picture        The user's picture for the Login window

     -admin          This flag adds the user to the admin group.

     -hiddenUser         Creates an account with a UID under 500 and hides it

     -networkUser        Creates an account with a UID over 1025

     -secureSSH          Modifies the /etc/sshd_config file to lock out all other users 
                 In Mac OS X 10.5 and later, the group com.apple.ssh_access is modified instead of sshd_config.

johnklimeck
Contributor II

Sweet, used jamf createAccount to create the account via bash script. Admin and hidden. Works like a charm.

Thanks

John

SeanA
Contributor III

All hail Der Flounder!!!
All hail Craig Ernst!!!

jwojda
Valued Contributor II

How do we create a passhash? I tried the Jamf Quickadd from 8.7 and it errors out when I install it. So I tried another suggestion of the createadmin from instadmg - which says it completes successfully, but I still can't login with it. But I haven't really found anything on how to create a passhash.

mm2270
Legendary Contributor III

Re: The passhash, I had looked into that as well and was told by our JAMF TAM that this option is old and no longer usable. I had asked them to remove it entirely from the jamf binary's help and options if that was the case, since its misleading to have it in there. It looks like its still there though.
So as far as I've been told and can tell, you can't really use it. However, if anyone has found a way to use that option successfully, I'd be all ears/eyes.

jwojda
Valued Contributor II

sending local admin passwords as clear text doesn't seem like a logical move that Jamf would do...

rtrouton
Valued Contributor III

Another option (assuming this isn't a management account that Casper itself uses) is to use CreateUserPkg:

http://magervalp.github.io/CreateUserPkg/

CreateUserPkg is also available from the Mac App Store:

https://itunes.apple.com/us/app/createuserpkg/id540673598?mt=12

This tool generates an installer package which creates a local user account on installation. You can specify the UID of the account to be less than 500 (which should hide it) and also give it administrator rights. The password will be stored as a salted SHA1 hash.

jwojda
Valued Contributor II

that's the one from instadmg's page? I tried that too, it says it installed, but it couldn't login with it.

bentoms
Esteemed Contributor
Esteemed Contributor

Do you need a hidden admin account or management account?

If the later, why not specify a simple password & then have a policy that changes it randomly?

rtrouton
Valued Contributor III

@jwojda,

The createUser included with InstaDMG is an older version that worked on 10.5.x - 10.6.x. The CreateLionUser also included with InstaDMG will work, but CreateUserPkg from GitHub / App Store is the latest version.

CreateUserPkg is actively being developed and maintained, so I recommend using that.

DanSloan
New Contributor

If I use createUserPkg, should I be concerned about picking a User ID that is in use?

mm2270
Legendary Contributor III

@DanSloan - You'd certainly want to be careful not to choose a UID already in use. If this was being done via scripting a new user account, there are ways of dynamically determining an unused ID, but since CreateUserPkg requires the ID to be entered ahead of time, you'll have to determine what will work for you.
If this is to be a hidden account, as long as you're sure its not in use the default 499 ID should be OK.
If its going to be a visible account, you can use something kind of high like 600. Its highly unlikely any accounts already on your systems would have that assigned to them. The OS starts at 501 for the very first user account and simply goes up by increments of 1 for each new one created via the Users & Groups Preference Pane.

martel
New Contributor III

Is there a way to use the Jamf Binary Hide the account, make it an admin and filevault the account?

NightFlight
New Contributor III

Yes if your creating. Check the help on the 'jamf' command, or see above.

I came here looking for a way to assign the new management account without calling recon. After fresh imaging and flushing policies I find my machines are hitting recon about 3 or 4 times with everything getting triggered.

tfoggi
New Contributor II

One more option I don't see here:

While I love an opportunity to script something, I obviously don't want the account password in plain text, and also didn't want to deal with hashing the password, etc., so I came up with this option, tested and it works.

Turns out you can hide any account even if the UID is above 500 - it's just that by default, the sub-500 UIDs are hidden. So here's what I did:

1. Create the account using a policy with the "Local Accounts" payload. Keep in mind that since you want it hidden, you need to make sure the home directory path is a hidden location. I used /private/var/<account name> since that's the location the JSS uses when it creates management accounts, and the account I'm creating is going to eventually be a new management account, but you can use any hidden path that suits your situation. This will create an account with UID above 500, but no worries, see next step-

2. In that same policy, use the "Files and Processes" payload to execute the following command:
dscl . create /Users/<account name> IsHidden 1

This will hide the account using the same method that sub-500 UID accounts are hidden with by default. So even though your acocunt has a UID above 500, it's hidden the same way the sub 500 ones are.

You're done. No need to mess with packages, scripts, salted hashes, etc.

I threw a maintenance payload in there with an "Update Inventory" since I scoped mine to a smart group with the criteria of "Local user accounts does not have <account name>", triggered at recurring check-in, once daily, but you may want to deploy using a different method.