Filevault & deleting local account

MBrownUoG
Contributor

Hello folks.

We have a few older non-DEP Macs here on which our team has performed a clean install of Mojave, created a "Mac" user on initial setup, and then manually enrolled them in Jamf. All works well from that point, aside from when it comes time to delete that initial "Mac" account (for context, after initially logging in and renaming the machines, we bind our devices to AD and all users log in via their normal AD credentials).

Basically, I can't delete that "Mac" account for love nor money, no matter if I try via the OS, via the Jamf GUI, a Jamf policy or via all the terminal wizardry I could find. The only thread of investigation I have left is that in every case in which the account can't be deleted, it's also the only local account enabled for Filevault 2.

Am I correct in thinking this will be the issue? We don't actually use Filevault on our machines yet (I know... it's on the never-ending list), and we do have another local admin account on the Macs that could be enabled for it. Is there an easy way to enable Filevault 2 for that other account, and remove it from "Mac"?

All our DEP-enabled Macs don't seem to have this issue. The same "Mac" account is created as part of a prestage enrolment so we can have our techs log in and rename the machines (which will then kick off policy to remove the account, etc), but when doing things that way, the account removes just fine via policy. Odd.

3 REPLIES 3

sshort
Valued Contributor

Check out this article, there were some changes to secureToken behavior in Mojave starting in 10.14.2 that prevent the removal of accounts based on their secureToken status and their standard/admin account type.

itmgr
New Contributor

I swear, is it getting harder and harder to do our jobs? Or is it just me???

Hugonaut
Valued Contributor

It's all a part of the fun @itmgr

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman