We have home shored users that are too far from an office so we ship the Mac to them. Since security does not allow users to give their password out we are unable to logon as the user to setup their mobile profile on the mac prior to shipping. We have been successful with the below command, however I cannot give out the root password to our tier 1 tech people, nor do I know how to script this so the end user will be prompted to enter their password. Below is the process we use
Logon to the system with a standard local user acct
Technical person remotes the system
Connects to the VPN
Open terminal SU to root
Run the following command
/System/Library/CoreServices/ManagedClient.ap/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -v -P -n “userADlogon” — h User provides their password
This creates the users profile and creates their home directory
Enable user for FV2
Reboot machine and the user's name will be on the logon screen so they can logon.
Any help on scripting this via JAMF would be greatly appreciated.
One way I have been able to get around the "need the end user's password" is to use NoMAD. (https://nomad.menu)
I constructed the "new build" process where the build techs create an account that matches the end user's AD account, then they supply any password they want to build the Mac. They even use that password to create a mobile account with the "createmobileaccount" command you list. Regardless, when they deliver the Mac, they tell the customer to open NoMAD and log into it with their existing AD password. Since I have NoMAD set to synch any local passwords to the AD password, the local one they used to build with is all changed behind the scenes and done. No one ever has to know (except the end user) what that password is.
Now, in the case of a remote client, all that would have to be prefaced to include: First, connect to the VPN, then open NoMAD.....and do those steps. It's been very handy in this and has made mgmt pretty happy since they were wanting a solution to keep the real password from being "spread around". Hopefully, that's something you can work with.