Posted on 01-05-2017 01:12 PM
Stop me if you've already posted this, but I couldn't find anyone talking about it already, which may have just been how I was trying to search. As always, standing on the shoulders of giants, in this case, Per Olofsson's CreateUserPkg. Been using it to deploy one of our hidden service accounts during build with AutoDMG. With ≤10.11 it's always worked to hide our service account if the User ID is sub-500.
Starting with testing out an image for 10.12, the User is not hidden. It does create the home directory where we want it (in this case /var/hiddenuser), but it's presented at the login screen, even after rebooting, and it's listed as a user under System Preferences > Users & Groups. Is anyone else encountering this? I could go back and script out JAMF creating/hiding the user, but the CreateUserPkg was a clean, easy way to do it during an image build.
I can probably, easily I would guess, push something along the lines of
sudo dscl . create /var/hiddenuser IsHidden 1
but having to run that after the fact seems less than ideal to me.
Solved! Go to Solution.
Posted on 01-05-2017 05:32 PM
What output do you get if you run this command on the Mac after imaging?
defaults read /Library/Preferences/ HiddenUsersList
If I'm not mistaken, an account will only show up as hidden if the account gets added to that specific HiddenUsersList
array in the root Library loginwindow.plist. I don't think its enough for it to have its home directory in a location like /private/var/
I'm not sure if CreateUserPkg does that, but I'm guessing it should do it automatically if you specify the account should be hidden when building out the pkg. Maybe that array isn't being modified for some reason under 10.12? I've used CreateUserPkg before, successfully, but I'll admit I have not used it against 10.12.x yet.
There's also the Hide500Users
value in that same plist, that I think needs to be set to "1" or true.
Posted on 01-05-2017 05:32 PM
What output do you get if you run this command on the Mac after imaging?
defaults read /Library/Preferences/ HiddenUsersList
If I'm not mistaken, an account will only show up as hidden if the account gets added to that specific HiddenUsersList
array in the root Library loginwindow.plist. I don't think its enough for it to have its home directory in a location like /private/var/
I'm not sure if CreateUserPkg does that, but I'm guessing it should do it automatically if you specify the account should be hidden when building out the pkg. Maybe that array isn't being modified for some reason under 10.12? I've used CreateUserPkg before, successfully, but I'll admit I have not used it against 10.12.x yet.
There's also the Hide500Users
value in that same plist, that I think needs to be set to "1" or true.
Posted on 01-06-2017 04:41 AM
Historically there have been several ways to hide a user (as mm2270 describes); uid<500 (was originally enough, later it required Hide500Users to be added into loginwindow.plist), the HiddenUsersList and more.
Recently the IsHidden
attribute is introduced, maybe the older do no longer work?
See Apple's kbase HT203998
Your command should not use /var/hiddenuser but /Users/hiddenuser since it refers to DirectoryServices structure.
And as a side note: Per, the author or CreateUserPkg has offered the project for adoption, so do not expect updates from Per soon.
I use DeployStudio, and their script is usable to make your own; it is supposed to work on Sierra (not tested)
On systems with DS installed : find it here:
and copied here for reference:
# disable history characters
SCRIPT_NAME=`basename "${0}"`
echo "${SCRIPT_NAME} - v1.18 ("`date`")"
# Usage: ${SCRIPT_NAME} $1 $2 $3 [$4 $5 $6 $7]
# $1 -> realname
# $2 -> shortname
# $3 -> password
# $4 -> admin (YES/NO)
# $5 -> hidden (YES/NO)
# $6 -> localization (English, French, etc...)
# $7 -> uidNumber
# create the default user
if [ "_YES" == "_${USER_HIDDEN}" ]
if [ ! -d "/var/.home" ]
mkdir "/var/.home"
chown root:admin "/var/.home"
chmod 775 "/var/.home"
if [ -n "${USER_SHORTNAME}" ]
if [ -n "${USER_UID}" ]
SAME_UID=`dscl /Local/Default -list /Users uid | awk '{ print "+"$2"+" }' | grep "+${USER_UID}+"`
if [ -n "${SAME_UID}" ]
USER_UID=`dscl /Local/Default -list /Users uid | awk '{ print $2 }' | sort -n | tail -n 1`
USER_UID=`expr ${USER_UID} + 1`
if [ ${USER_UID} -lt 501 ]
echo " Creating user '${USER_SHORTNAME}' with uid=${USER_UID} !" 2>&1
dscl /Local/Default -delete users/${USER_SHORTNAME} >/dev/null 2>&1
dscl /Local/Default -create users/${USER_SHORTNAME}
dscl /Local/Default -create users/${USER_SHORTNAME} uid "${USER_UID}"
dscl /Local/Default -create users/${USER_SHORTNAME} gid 20
dscl /Local/Default -create users/${USER_SHORTNAME} GeneratedUID `/usr/bin/uuidgen`
dscl /Local/Default -create users/${USER_SHORTNAME} home "${USER_HOME}"
dscl /Local/Default -create users/${USER_SHORTNAME} shell "/bin/bash"
dscl /Local/Default -create users/${USER_SHORTNAME} _writers_UserCertificate "${USER_SHORTNAME}"
dscl /Local/Default -create users/${USER_SHORTNAME} _writers_hint "${USER_SHORTNAME}"
dscl /Local/Default -create users/${USER_SHORTNAME} _writers_jpegphoto "${USER_SHORTNAME}"
dscl /Local/Default -create users/${USER_SHORTNAME} _writers_passwd "${USER_SHORTNAME}"
dscl /Local/Default -create users/${USER_SHORTNAME} _writers_picture "${USER_SHORTNAME}"
dscl /Local/Default -create users/${USER_SHORTNAME} _writers_realname "${USER_SHORTNAME}"
if [ -e "/Library/User Pictures/Fun/Gingerbread Man.tif" ]
dscl /Local/Default -create users/${USER_SHORTNAME} picture "/Library/User Pictures/Fun/Gingerbread Man.tif"
if [ -e "/Library/User Pictures/Animals/Butterfly.tif" ]
dscl /Local/Default -create users/${USER_SHORTNAME} picture "/Library/User Pictures/Animals/Butterfly.tif"
if [ -n "${USER_REALNAME}" ]
dscl /Local/Default -create users/${USER_SHORTNAME} realname "${USER_REALNAME}"
dscl /Local/Default -create users/${USER_SHORTNAME} realname "${USER_SHORTNAME}"
if [ -n "${USER_PASSWORD}" ]
dscl /Local/Default -passwd /Users/${USER_SHORTNAME} "${USER_PASSWORD}"
dscl /Local/Default -passwd /Users/${USER_SHORTNAME} ""
if [ "_YES" = "_${USER_ADMIN}" ]
echo " Setting admin properties" 2>&1
dscl /Local/Default -append groups/admin users "${USER_SHORTNAME}"
# Enable all ARD privileges
dscl /Local/Default -create users/${USER_SHORTNAME} naprivs -1073741569
echo " Creating local home directory" 2>&1
HOMES_ROOT=`dirname "${USER_HOME}"`
if [ -d "${HOMES_ROOT}" ] && [ -d "/System/Library/User Template" ]
if [ -d "/System/Library/User Template/${USER_LOCALE}.lproj" ]
ditto --rsrc "/System/Library/User Template/${USER_LOCALE}.lproj" "${USER_HOME}"
ditto --rsrc "/System/Library/User Template/English.lproj" "${USER_HOME}"
chown -R ${USER_UID}:20 "${USER_HOME}"
if [ "_YES" == "_${USER_HIDDEN}" ]
defaults write /Library/Preferences/ HiddenUsersList -array-add "${USER_SHORTNAME}"
chmod 644 /Library/Preferences/
chown root:admin /Library/Preferences/
Posted on 01-06-2017 04:57 AM
FWIW - the project is no longer being maintained.
But you can adopt it if you like.
Posted on 01-06-2017 05:03 AM
@dpertschi I saw that the other day before I started playing with 10.12. I had my fingers crossed enough hadn't changed from 10.11 to 10.12 that it wouldn't be an issue. I may go back to the jamf binary to do it all for me.
Posted on 01-06-2017 01:16 PM
@mm2270 It appears it's not getting set in the install, as my output is this.
MacBook-Air:~ admin$ defaults read /Library/Preferences/ HiddenUsersList
2017-01-06 12:32:37.532 defaults[659:12308]
The domain/default pair of (/Library/Preferences/, HiddenUsersList) does not exist
MacBook-Air:~ admin$ defaults read /Library/Preferences/
GuestEnabled = 0;
OptimizerLastRunForBuild = 33687680;
OptimizerLastRunForSystem = 168559104;
lastUser = loggedIn;
lastUserName = admin;
MacBook-Air:~ admin$
Given that everything for the user is there, I will just test out whether it seems easier to run a first run script to hide the existing user, or remove it completely from my image and let JAMF create it.
Posted on 01-06-2017 01:22 PM
And comparing it to a managed workstation that was updated from 10.11 to 10.12, that looks like the key is missing.
$ defaults read /Library/Preferences/ HiddenUsersList
2017-01-06 16:21:10.891 defaults[51336:1098983]
The domain/default pair of (/Library/Preferences/, HiddenUsersList) does not exist
$ defaults read /Library/Preferences/ Hide500Users
Posted on 01-06-2017 01:26 PM
@easyedc Yeah, its kind of a toss up. I mean, the point of using something like CreateUserPkg in the first place would be to have a single pkg install that can create that user for you and hide it, if so desired. If you need to start adding post scripts to actually hide the account, it might just be easier to move to the jamf binary and some scripts to create the account and skip the package route.
I wasn't aware if was put up for adoption. Hopefully someone will pick up the reins for CreateUserPkg and make it work on current and future OSes. It was useful while it lasted.
Posted on 01-06-2017 01:33 PM
@mm2270 You're definitely correct in your statement. Given that the user is a management account for our network access control (Forescout agent) it would be able to be installed post JAMF setup as long as we build on an approved build segment. The only advantage in the past was that if a workstation managed to find its way to our floor without being properly configured, if it was my image, it'd work. If it was something someone went out and bought, they'd get blocked.
defaults write /Library/Preferences/ Hide500Users 1
Did solve it. I may, for the time being, just write out a policy to execute that once and not worry about it.