Jamf Nation Community

@davidacland Usually on other OS such as Yosemite and older I would modify the User template to be able to make the image exactly how i'd like it. But now when I do the same thing i get these errors. When I tried to do it with SIP enabled it allowed me to make changes but when a domain user logged in it didn't show those changes. After I disabled SIP and made those changes again, I logged in as the domain user and it worked. But only problem was that the permissions to the user's home folder werent there so I had to chown it for them to have there permissions.

You should be looking at deploying a DMG using the FUT (Fill User Template) option enabled on it to to deploy the changes to the User Template. Or script changes in your image to that folder before capturing it. I'm not sure how you were doing the same changes before, but those are the only real ways to do it that aren't going to mess things up or just block you altogether.
As @davidacland mentioned, the /System/Library/User Template/English.lproj directory (or whichever languages you need to affect) are writable in 10.11. There are existing exclusions in SIP to allow those to be modified. So again, I have no idea how you've been trying to edit that location, but you should rethink it since its possible to modify it without disabling SIP.

I've found that creating a default account and using a script that copies changes to the english.lprog works very well, even in El Capitan. The only hitch is you must delete the key chains created in the default account. Otherwise, you get login item key chain issues. There is a group of scripts out there that can do this work for you if you follow the procedures correctly. I've had no problem creating a preconfigured environment for my guest and domain users. This technique is robust and allows for configurations specific to department, et al. One issue is that to fully define an environment, you have to use monolithic images. Thin imaging and heavy scripting will not accomplish the same goal without a ton of front end work. As I am not a heavy scripter, I can do the work as quickly in this fashion. SIP has only caused me issues on the netbooting of my JAMF and Deploy Studio shells. And that is where I am doing most of my experimenting at this time.

I should clarify that you want to delete the key chains from the english.lprog, not the default account. I leave the default account in tact so that as things are updated, I can simply make minor changes to the default account, then run the script in root and delete the key chains again. Then, as in my labs, most are configured for guest user use, the environment is changed for the next user to log in. Keep in mind, this DOES NOT alter existing domain or local users. I've not yet experimented with FEU Fill Existing Users for this concept.