Do you use DEP with mobile and/or standard user accounts?

danshaw
Contributor II

I'm trying to perfect our DEP workflow for setting up new and old Macs for our company and things are a bit rocky. My current workflow is using SplashBuddy to show the end user a graphical update on the software that is being installed along with enabling FileVault encryption. This seems to work relatively well.

I have a prestage enrollment set up that requires authentication before entering in their account, which pre-populates the new user with their account info. It seems like after upgrading to JAMF 10.7 that now there is no possible way to generate that user as a Mobile User. Or even make them a standard user. Instead, the account that is created is a local admin account.

At our company we would ideally like Standard Mobile User accounts. Is that even possible any more with a DEP workflow? How do you guys do it?

I have also tried to downgrade the local admin account to a standard account, but as soon as we do, their account is no longer able to log into the computer. We have to then log back into the management account, enable them as admin, and they can then access their profile again.

279a661581964492a506de54af62f108

1 ACCEPTED SOLUTION

danshaw
Contributor II

I solved this for our company by demoting the user after account creation to a standard user at the end of our DEP process. This seems to have worked for now.

Here is the script I use. I have it grep out "management" as that is our management account that I don't want demoted.

 IFS=$'
'
        declare -a localusers=($(dscl . list /Users UniqueID | grep -v management | awk '$2 >= 500 && $2 < 1000 {print $1}'))
    unset IFS

    for i in "${localusers[@]}"
        do          
           /usr/sbin/dseditgroup -o edit -n /Local/Default -d $i -t "user" "admin"
            echo $localusers
        done

View solution in original post

2 REPLIES 2

danshaw
Contributor II

I solved this for our company by demoting the user after account creation to a standard user at the end of our DEP process. This seems to have worked for now.

Here is the script I use. I have it grep out "management" as that is our management account that I don't want demoted.

 IFS=$'
'
        declare -a localusers=($(dscl . list /Users UniqueID | grep -v management | awk '$2 >= 500 && $2 < 1000 {print $1}'))
    unset IFS

    for i in "${localusers[@]}"
        do          
           /usr/sbin/dseditgroup -o edit -n /Local/Default -d $i -t "user" "admin"
            echo $localusers
        done

walts_9
New Contributor III

I'll have to try your solution out, but I'm curious. Is this an issue with JAMF or has apple changed anything that prevents a standard account vs. admin account?