Skip to main content
Question

Creating a new user from Self Service

J
Forum|alt.badge.img+7

Since encrypting our Macs using FileVault we have been faced with a headache when a new user/Freelance user needs to log in to them. Historically on a Monday morning the user could log in using the traditional name/password login window but now with encryption you can only log in with a user account that has logged in previously.
Last week i was set with the task of doing something about it. I wanted to find a way that i could get a user account created from Self Service where a user could log in on a Friday afternoon run a policy that would create a user and enable the user in FileVault. Please see below the script i created to do the job, you must have CocoaDialog installed which does a brilliant job of requesting the username and password. Thanks to @stevewood for the FileVault plist part of the script.

# Joe Thurwood 17/09/2014
#
# Create new user script, used in Self service
# this script will create a new user based on
# the credentials supplied. It also enables # the user in FileVault

# Set cocoaDialog location
CD="/private/etc/Ogilvy/Applications/CocoaDialog.app/Contents/MacOS/CocoaDialog"

# Dialog to enter the User name and the create $USERNAME variable
rv=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Enter the name of the new user to add"))

USERNAME=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Cancelling" exit
fi

# Dialog to enter the Password and the create $PASSWORD variable
rv=($($CD secure-standard-inputbox --title "Password" --no-newline --informative-text "Enter the password of the new user to add"))

PASSWORD=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
elif [ "$rv" == "2" ]; then echo "Canceling" exit
fi

#Create Mobile Account
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $USERNAME -p $PASSWORD > /dev/null 2>&1

# create the FileVault plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$4'</string>
<key>Password</key>
<string>'$5'</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>'$USERNAME'</string>
<key>Password</key>
<string>'$PASSWORD'</string>
</dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist

# now add user to FileVault
sudo fdesetup add -i < /tmp/fvenable.plist

# remove fvenable.plist
rm /tmp/fvenable.plist

    13 replies

    R
    Forum|alt.badge.img+10
    • RaulSantos
    • Contributor
    • 52 replies
    • September 22, 2014

    Great work Joe. Nice your still on this.

    J
    Forum|alt.badge.img+7
    • jthurwood
    • Author
    • Contributor
    • 52 replies
    • September 23, 2014

    Thank Raul, I hope you're well.

    Person
    Forum|alt.badge.img+9
    • Person
    • Jamf Heroes
    • 35 replies
    • September 23, 2014

    Thank You!

    jhbush
    Forum|alt.badge.img+26
    • jhbush
    • Esteemed Contributor
    • 539 replies
    • September 23, 2014

    @jthurwood just so I'm clear does this work for domain accounts only or can you create accounts named whatever you want? I'm guessing domain only and thanks for posting this very nice example of CD.

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • 7883 replies
    • September 23, 2014

    Looks like its for domain accounts only since its using createmobileaccount, which only works on creating accounts based in AD or some other directory service.

    The only thing I want to point out with some of these scripts is that no-one seems to verifying the password against the actual account to make sure its the right password. I'm not certain how safe it is to rely on the end user to enter the correct password and then create the account and add to FileVault. If someone miskeys something by accident, you've created and added an account that the actual user cannot log into come time for them to. I believe FileVault will take whatever password you pass to the xml file when adding the user and that will become the only password accepted at the Pre-boot unlock screen for that account. I may be wrong on that last part, but I don't know that it actually verifies the account against AD.

    There are ways of verifying an AD account name and password are accurate. If you'd like an example of how to do that I can post a script I have that uses CD to do that.

    jhbush
    Forum|alt.badge.img+26
    • jhbush
    • Esteemed Contributor
    • 539 replies
    • September 23, 2014

    @mm2270 I was wondering that myself after I realized the script was using creatmobileaccount. Please post your account and password check when you get a chance. I'm still trying to make better use of CD.

    J
    Forum|alt.badge.img+7
    • jthurwood
    • Author
    • Contributor
    • 52 replies
    • September 23, 2014

    @jhbush1973 This uses the createmobileaccount syntax so would only add accounts from AD.

    @mm2270 If the user inputs the wrong password the account can not be verified against AD and the policy will fail. At least thats how i expect it to work. An example of how you can verify would be useful though.

    Thanks

    Joe

    jhbush
    Forum|alt.badge.img+26
    • jhbush
    • Esteemed Contributor
    • 539 replies
    • September 23, 2014

    @jthurwood and @mm2270 yes it fails if you enter the wrong username or wrong password.

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • 7883 replies
    • September 23, 2014

    Ah, my mistake then. I see that you have the password entered as part of the createmobilaccount line, which indeed would fail if the wrong password is entered, so you're correct. I didn't see that before. That should be verification enough.
    Although, what actually happens at that point? Do they just re-run the SS policy again? I have not run your script so I'm just wondering.

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Honored Contributor
    • 970 replies
    • September 22, 2015

    This is great, but its just been pointed out to me that it doesn't work if the users AD password has a space in it :(

    Any idea how to make it work with spaces?

    L
    Forum|alt.badge.img+5
    • Lotusshaney
    • Contributor
    • 96 replies
    • September 23, 2015
    dscl /Local/Default -authonly "$username" "$password"

    Exit status will reflect if the password is correct or not

    This will work for any Directory Service the mac is bound to, so local users AD and OD

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Honored Contributor
    • 970 replies
    • September 24, 2015

    Ok great. How can I use that in the script and make CD work with a password which has spaces in it?

    C
    Forum|alt.badge.img+8
    • CAJensen01
    • Contributor
    • 43 replies
    • October 20, 2015

    tkimpton,

    "$CD"

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings