Creating a FileVault User that is Hidden and Cannot Log into OSX

HNTIT
Contributor II

Has anyone Tried to do this ?

I Want to create an user (Lets Call it VAULT)
The VAULT account needs to be enabled for FV2 and therefore have a secure token so it can unlock the machine, but I don't want it to be usable to actually get into the MAC, mainly to safeguard against it being used to unlock FV2 and then Auto Login to the machine. (Autologin needs to stay enabled for the machine)

It would also be handy to hide it from the user log in screen.

ANyone have any clues ?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Assuming the account is using the default shell (/bin/bash), then you would do something like this:

sudo dscl . change /Users/vault UserShell /bin/bash /usr/bin/false

Make sure to change vault to whatever the short name is of the account.

If you're not sure if it's using /bin/bash, though it should unless you specifically changed it, you can read the value with:

dscl . read /Users/vault UserShell

View solution in original post

4 REPLIES 4

mm2270
Legendary Contributor III

Not possible to hide it. I'd love to do it as well, but the moment any account becomes FV2 enabled, it shows up at the login screen. This is primarily because Apple never was able to (or never bothered to) enable an option for the FV2 login screen to use Username/Password versus List of Users as the view. So any FileVault account will show up as an icon at that FV2 screen. It's not possible to hide them from the user booting up the machine.

As for not allowing it to actually login to the Mac, this is a long shot, and I have a sneaky feeling this won't work, but in the past, I've disabled accounts from being able to login by changing their shell value in directory services to /usr/bin/false This effectively prevents the full login from occurring, since any account must have a valid shell value to be used. You could try that, but it's possible it will get removed from the FileVault list when you do that. I don't know for sure, just speculating, as I've never tried that.

HNTIT
Contributor II

Do you have a command I can bung in a script to change that value ?

mm2270
Legendary Contributor III

Assuming the account is using the default shell (/bin/bash), then you would do something like this:

sudo dscl . change /Users/vault UserShell /bin/bash /usr/bin/false

Make sure to change vault to whatever the short name is of the account.

If you're not sure if it's using /bin/bash, though it should unless you specifically changed it, you can read the value with:

dscl . read /Users/vault UserShell

ifbell
Contributor

What we do is use a JAMF policy to create the account and then the same policy runs this bit of script at the end.

sudo chpass -s /usr/bin/false VAULT