DEP - Management Account Hidden?

ant89
Contributor

We just started noticing computers enrolled via DEP where the management account gets created with UID 501 and placed in /users/

We have not changed any settings. The Hide management account box is still checked in user initiated settings.

Although, if we go to users & groups on in system preferences, the management account does not show up (so thats good).

Normally it gets UID 80 and placed in /private/var/

Anyone else seeing this?

14 REPLIES 14

cgolebio
New Contributor III

@ant89 , what version of the JSS are you running?
I have not seen this issue on 9.100.0

ant89
Contributor

i am running JSS 9.101.0-t1504998263 ive also noticed this on my dev jss running 10.1.1-t1513360285

Are you enrolling via DEP? @cgolebio

cgolebio
New Contributor III

I am enrolling via DEP. That's our new workflow lately is to restore via online recovery in the case of a "re-image" and have the Prestage kick in.

m_donovan
Contributor III

I am running JSS 9.101.3-t1507138812 and just checked 3 of my recently DEP enrolled devices and all of the management accounts are 80 and in /private/var. I will spot check some more and post if I find any different.

ant89
Contributor

Thanks @m.donovan --- im not sure what the issue is here but this started happening yesterday. I havent changed any settings in the user-initiated enrollment section where i set the management account.

qsodji
Contributor

This is a defect in jamf, I have ran into the same issue with version 10.
Here is a workaround
https://www.jamf.com/jamf-nation/discussions/10439/hiding-management-account#responseChild60165
Jamf is aware of the issue which is because that same settings in profile manager is actually to show the account and not hide it.
Here is the info PI-002119.

HNTIT
Contributor II

I have the same issue.

All I did was create a second account during the PreStage for DEP called enroll, and that solves the issue, I have a later step that deletes it shortly after, this handily ties in with a few machines that are not in DEP, and when we wipe them a local account needs creating for initial setup, we create one called enroll for that and it gets deleted once in JAMF too

ant89
Contributor

Thank you both @qsodji & @HNTIT -- Both methods work! Tho creating the secondary account with the HIDDEN box checked does not hide the secondary account. This creates that second account w/ UID of 501. That doesn't matter since we will be deleting that account anyways. I think i will just go with this method - https://www.jamf.com/jamf-nation/discussions/10439/hiding-management-account#responseChild60165

MichaelNash
New Contributor II

I've had this issue too. My workaround was to:
..create the first account as full admin via ldap and prestage config. ..create a smart group for looking for devices that have 'x' app.
..create a policy to create your preferred admin account and run a script to demote users to a standard account with exceptions (skipping your admin account)
..scope the policy to your smart group and set as run once per computer.

This has worked to in a k-12 environment.

dstranathan
Valued Contributor II

I just upgraded to Jamf Pro 10.7.1 (Sept 2018) and the DEP local admin account (provisioned in PreStage Enrollment) is still not completely hidden.

UID is 501
homedir is in /Users

However, the account is NOT visible in the Users & Groups preference pane.

My workaround is to run a Jamf policy/script that looks for my temp deployment account and delete it after deployment is completed (if it is located).

5bfd52acad094d2bbc6af165993a0d9d.

Sanchi
Contributor

@ant89 I'm seeing exactly this.

If I create an additional admin account as a PreStage option the hidden Jamf Management account gets an UID of 80 and placed in /var/users - normal.
If I do not create the additional admin account the Jamf Management account gets a UID of 501 and is Macintosh HD/Users

All I want for Xmas is for Jamf Connect to create the first normal user and for that user to be 501.

I'm running Jamf Cloud v10.10.1-t1551187745.

I guess it off to the workarounds - annoying -__-

Sanchi
Contributor

On second testing:

Jamf Management account shows as UID 501 - secureToken disabled, does not show in Users and groups,
First account created via Jamf Connect (with admin option turned on in its plist) shows as UID 502 - secureToken Enabled, shows as only account in Users and Groups

On reboot FileVault is enabled for 502.

Welp, as we know the Jamf Management account doesn't get a secureToken, even if its an admin account and UID 501. So in my case its all good.

My PreStage is set to skip user account creation and also to not create an additional account. I then use Jamf Connect to authenticate to Azure AD in order to create the first user account with the following keys set to true in its plist:

<key>CreateAdminUser</key>
<true/>
<key>EnableFDE</key>
<true/>

So first user is an admin, and also enabled for FileVault on reboot with the help of a FileVault Config Profile.

When I reboot, I get the FileVault login screen with the first user (Jamf Connect created user) as the FileVault user and no evidence of the Jamf Management account visible in the GUI on the Mac. Happy days.

Sanchi
Contributor

The issue I currently have is given all the above, I still see the suer folder of my Jamf management account in /Users.

My workflow is DEP > Jamf Connect Login > DEPNotify build > profit

Once I login to my Azure account and get to the desktop I see both my Jamf admin account and my just created account side by side in /Users. This is obviously an issue for us. Initial thought is just to use

sudo chflags hidden /Users/_jamfadminaccount

As a temp work around.

dstranathan
Valued Contributor II

We are still seeing this issue here with DEP/ABM Mac deployments. The local Jamf admin account gets UID 501 and it's homedir is created in /Users. I have workaround scripts to move/hide the account but its certainly not an optimal situation.

I'm still on Jamf Pro 10.9. Has this been resolved in never versions of Jamf Pro?