I know there is an account created when the device is enrolled into Jamf but we would like to create another admin account when the device is being enrolled and also to all the current devices we have enrolled. What is the best way to do this?
We have a policy running the following command in "Files and Processes" (edited for anonymity). This is a hidden account though, so you may need to edit a bit.
jamf createAccount -username adminuser -realname AdminUser -password AdminPassword –home /private/var/adminuser –shell “/bin/bash” -hiddenUser -admin
Here's the script we use to do this:
#Creates 'jamfadmin' user dscl . -create /Users/jamfadmin dscl . -create /Users/jamfadmin UserShell /bin/bash dscl . -create /Users/jamfadmin RealName "jamfadmin" dscl . -create /Users/jamfadmin UniqueID "401" dscl . -create /Users/jamfadmin PrimaryGroupID 20 dscl . -create /Users/jamfadmin NFSHomeDirectory /var/jamfadmin dscl . -passwd /Users/jamfadmin YourPasswordHere #Creates home folder mkdir /var/jamfadmin chown -R jamfadmin /var/jamfadmin #Makes 'jamfadmin' a local admin dscl . -append /Groups/admin GroupMembership jamfadmin #Hide user defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES #Gives SSH access to 'jamfadmin' dseditgroup -o edit -n /Local/Default -u ExistingAdminAccount -P ExistingAdminPassword -a jamfadmin -t user com.apple.access_ssh
Setting the uniqueID to 401 and then hiding sub-500 users make the account hidden if you want that. If not, just delete those lines from the script and allow macOS to auto-assign the uniqueID.
@valentin.peralta It seems that it doesn't work perfectly on Catalina, but still seems to get the job done. I haven't visited this script yet on our client machines on Catalina, but just tried it on my work Mac Mini. It threw a eDSPermissionError and reported that it failed to set the credentials, but the user did get created and I was able to log in with the account and password that I set in the script.