Skip to main content
Solved

Creating a FileVault User that is Hidden and Cannot Log into OSX

H
Forum|alt.badge.img+8
  • HNTIT
  • Valued Contributor
  • 77 replies

Has anyone Tried to do this ?

I Want to create an user (Lets Call it VAULT)
The VAULT account needs to be enabled for FV2 and therefore have a secure token so it can unlock the machine, but I don't want it to be usable to actually get into the MAC, mainly to safeguard against it being used to unlock FV2 and then Auto Login to the machine. (Autologin needs to stay enabled for the machine)

It would also be handy to hide it from the user log in screen.

ANyone have any clues ?

Best answer by mm2270

Assuming the account is using the default shell (/bin/bash), then you would do something like this:

sudo dscl . change /Users/vault UserShell /bin/bash /usr/bin/false

Make sure to change vault to whatever the short name is of the account.

If you're not sure if it's using /bin/bash, though it should unless you specifically changed it, you can read the value with:

dscl . read /Users/vault UserShell
View original
    Did this topic help you find an answer to your question?

    4 replies

    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • November 28, 2018

    Not possible to hide it. I'd love to do it as well, but the moment any account becomes FV2 enabled, it shows up at the login screen. This is primarily because Apple never was able to (or never bothered to) enable an option for the FV2 login screen to use Username/Password versus List of Users as the view. So any FileVault account will show up as an icon at that FV2 screen. It's not possible to hide them from the user booting up the machine.

    As for not allowing it to actually login to the Mac, this is a long shot, and I have a sneaky feeling this won't work, but in the past, I've disabled accounts from being able to login by changing their shell value in directory services to /usr/bin/false This effectively prevents the full login from occurring, since any account must have a valid shell value to be used. You could try that, but it's possible it will get removed from the FileVault list when you do that. I don't know for sure, just speculating, as I've never tried that.

    H
    Forum|alt.badge.img+8
    • HNTIT
    • Author
    • Valued Contributor
    • 77 replies
    • November 28, 2018

    Do you have a command I can bung in a script to change that value ?

    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • Answer
    • November 28, 2018

    Assuming the account is using the default shell (/bin/bash), then you would do something like this:

    sudo dscl . change /Users/vault UserShell /bin/bash /usr/bin/false

    Make sure to change vault to whatever the short name is of the account.

    If you're not sure if it's using /bin/bash, though it should unless you specifically changed it, you can read the value with:

    dscl . read /Users/vault UserShell
    I
    Forum|alt.badge.img+12
    • ifbell
    • Contributor
    • 61 replies
    • November 28, 2018

    What we do is use a JAMF policy to create the account and then the same policy runs this bit of script at the end.

    sudo chpass -s /usr/bin/false VAULT

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings