Create Admin Account on Mac

IndianaChris
New Contributor II

I know there is an account created when the device is enrolled into Jamf but we would like to create another admin account when the device is being enrolled and also to all the current devices we have enrolled. What is the best way to do this?

10 REPLIES 10

Errick_Pfuhl
New Contributor III

We have a policy running the following command in "Files and Processes" (edited for anonymity). This is a hidden account though, so you may need to edit a bit.

jamf createAccount -username adminuser -realname AdminUser -password AdminPassword –home /private/var/adminuser –shell “/bin/bash” -hiddenUser -admin

arpierson
New Contributor III

Here's the script we use to do this:

#Creates 'jamfadmin' user
dscl . -create /Users/jamfadmin
dscl . -create /Users/jamfadmin UserShell /bin/bash
dscl . -create /Users/jamfadmin RealName "jamfadmin" 
dscl . -create /Users/jamfadmin UniqueID "401"
dscl . -create /Users/jamfadmin PrimaryGroupID 20
dscl . -create /Users/jamfadmin NFSHomeDirectory /var/jamfadmin
dscl . -passwd /Users/jamfadmin YourPasswordHere

#Creates home folder
mkdir /var/jamfadmin
chown -R jamfadmin /var/jamfadmin

#Makes 'jamfadmin' a local admin
dscl . -append /Groups/admin GroupMembership jamfadmin

#Hide user
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

#Gives SSH access to 'jamfadmin'
dseditgroup -o edit -n /Local/Default -u ExistingAdminAccount -P ExistingAdminPassword -a jamfadmin -t user com.apple.access_ssh

Setting the uniqueID to 401 and then hiding sub-500 users make the account hidden if you want that. If not, just delete those lines from the script and allow macOS to auto-assign the uniqueID.

IndianaChris
New Contributor II

When I use the above script I get "Error running script: return code was 64."

valentin_peralt
New Contributor III

@arpierson Would this work with Catalina? I need to run something like this on a few macbooks now because I just noticed the admin is not being created during enrollment anymore.

arpierson
New Contributor III

@valentin.peralta It seems that it doesn't work perfectly on Catalina, but still seems to get the job done. I haven't visited this script yet on our client machines on Catalina, but just tried it on my work Mac Mini. It threw a eDSPermissionError and reported that it failed to set the credentials, but the user did get created and I was able to log in with the account and password that I set in the script.

valentin_peralt
New Contributor III

@arpierson Thanks for the prompt response. I will give it a try and see what happens. I have two new macbooks with no admin account for some reason. I need to use a workaround while they find the root cause.

aporter
New Contributor II

This functionality is built into the Prestage Enrollment section in Jamf Pro. Here is a link to the discussion where I found this: https://www.jamf.com/jamf-nation/discussions/30574/local-admin-needed-before-user-account#responseChild201984

ray_henry
New Contributor II

I use this script. Works like a charm. sudo /usr/local/bin/jamf createAccount -username User -realname "HiddenAdmin" -password password -home /var/netadmin -hiddenUser -admin -secureSSH
Change all in bold to whatever you want.

user-JMBZcPKoRT
New Contributor

You can do this directly in Polices within Jamf Pro now under "Local Accounts". https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Local_Accounts.html

adl-gavinator
New Contributor III

@user-JMBZcPKoRT Its not hidden though.  You would have to use the script for that.