Jamf Nation Community

I am certain there are other ways to do this, but this is how I have typically done it (I last used this on 10.6). There is probably a way to set the User ID and stuff via the Terminal, too. This is just the way I have always done it:

1. Open System Preferences > Users & Groups
2. Control-click the admin user (secretadmin in this example)
3. Choose Advanced options...
4. Change the User ID to 499
5. Change the Home Directory path to a hidden folder, such as /var/.secretadmin
6. Open Terminal
7. Enter the following commands:

   sudo mv /Users/secretadmin /var/.secretadmin
   sudo chown -R secretadmin /var/.secretadmin
   sudo rm -R /var/.secretadmin/Public
   sudo rm -R /var/.secretadmin/Sites
   sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
   sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array secretadmin

Sweet, used jamf createAccount to create the account via bash script. Admin and hidden. Works like a charm.

Thanks

John

All hail Der Flounder!!!
All hail Craig Ernst!!!

How do we create a passhash? I tried the Jamf Quickadd from 8.7 and it errors out when I install it. So I tried another suggestion of the createadmin from instadmg - which says it completes successfully, but I still can't login with it. But I haven't really found anything on how to create a passhash.

Re: The passhash, I had looked into that as well and was told by our JAMF TAM that this option is old and no longer usable. I had asked them to remove it entirely from the jamf binary's help and options if that was the case, since its misleading to have it in there. It looks like its still there though.
So as far as I've been told and can tell, you can't really use it. However, if anyone has found a way to use that option successfully, I'd be all ears/eyes.

sending local admin passwords as clear text doesn't seem like a logical move that Jamf would do...

Another option (assuming this isn't a management account that Casper itself uses) is to use CreateUserPkg:

http://magervalp.github.io/CreateUserPkg/

CreateUserPkg is also available from the Mac App Store:

https://itunes.apple.com/us/app/createuserpkg/id540673598?mt=12

This tool generates an installer package which creates a local user account on installation. You can specify the UID of the account to be less than 500 (which should hide it) and also give it administrator rights. The password will be stored as a salted SHA1 hash.

that's the one from instadmg's page? I tried that too, it says it installed, but it couldn't login with it.

Do you need a hidden admin account or management account?

If the later, why not specify a simple password & then have a policy that changes it randomly?

@jwojda,

The createUser included with InstaDMG is an older version that worked on 10.5.x - 10.6.x. The CreateLionUser also included with InstaDMG will work, but CreateUserPkg from GitHub / App Store is the latest version.

CreateUserPkg is actively being developed and maintained, so I recommend using that.

If I use createUserPkg, should I be concerned about picking a User ID that is in use?

@DanSloan - You'd certainly want to be careful not to choose a UID already in use. If this was being done via scripting a new user account, there are ways of dynamically determining an unused ID, but since CreateUserPkg requires the ID to be entered ahead of time, you'll have to determine what will work for you.
If this is to be a hidden account, as long as you're sure its not in use the default 499 ID should be OK.
If its going to be a visible account, you can use something kind of high like 600. Its highly unlikely any accounts already on your systems would have that assigned to them. The OS starts at 501 for the very first user account and simply goes up by increments of 1 for each new one created via the Users & Groups Preference Pane.

Is there a way to use the Jamf Binary Hide the account, make it an admin and filevault the account?

Yes if your creating. Check the help on the 'jamf' command, or see above.

I came here looking for a way to assign the new management account without calling recon. After fresh imaging and flushing policies I find my machines are hitting recon about 3 or 4 times with everything getting triggered.

One more option I don't see here:

While I love an opportunity to script something, I obviously don't want the account password in plain text, and also didn't want to deal with hashing the password, etc., so I came up with this option, tested and it works.

Turns out you can hide any account even if the UID is above 500 - it's just that by default, the sub-500 UIDs are hidden. So here's what I did:

1. Create the account using a policy with the "Local Accounts" payload. Keep in mind that since you want it hidden, you need to make sure the home directory path is a hidden location. I used /private/var/<account name> since that's the location the JSS uses when it creates management accounts, and the account I'm creating is going to eventually be a new management account, but you can use any hidden path that suits your situation. This will create an account with UID above 500, but no worries, see next step-

2. In that same policy, use the "Files and Processes" payload to execute the following command:
dscl . create /Users/<account name> IsHidden 1

This will hide the account using the same method that sub-500 UID accounts are hidden with by default. So even though your acocunt has a UID above 500, it's hidden the same way the sub 500 ones are.

You're done. No need to mess with packages, scripts, salted hashes, etc.

I threw a maintenance payload in there with an "Update Inventory" since I scoped mine to a smart group with the criteria of "Local user accounts does not have <account name>", triggered at recurring check-in, once daily, but you may want to deploy using a different method.