Find My Mac and Guest User in macOS Catalina

struskowski
New Contributor

In the past, when Find My Mac was enabled, it automatically enabled the Guest User. It seems like in the latest version of macOS Catalina 10.15.4, this isn’t the case anymore.

As a test, I turned off Find My Mac and turned off the Guest User. I then rebooted. Following the reboot, I re-enabled Find My Mac, but the Guest User was still turned off. In the past, it would have been automatically turned on. FWIW, Offline Finding was also enabled in Find My Mac.

Can anyone else confirm this behavior?

4 REPLIES 4

a_holley
Contributor

I can't comment on the Find My Mac portion, but we have noticed that once our guest machines are updated to Catalina, they can no longer log in as guest. We have to go in and turn the guest account off and back on again before it will work.

LukeMason
New Contributor III

@a.holley - I've noticed this as well (password prompt appears for guest account). I'm trying to come up with a solution that doesn't require manual intervention on each computer... So far I've determined that scoping to a Login Window config profile that disables the guest user and then scoping back to our normal profile (which enables the guest user again) works to fix the account...

@struskowski - I thought the guest account appearing for Find my mac was normal for the last few OS's?

Guest access works with the Find My app to help you find your Mac if you lose it. You can locate your Mac if someone finds it, logs in as a guest, and then uses Safari to access the internet. See Set up the Find My app to locate a missing Mac.

From this website: https://support.apple.com/en-ca/guide/mac-help/mtusr001/mac

a_holley
Contributor

@LukeMason I just had the same thought myself and went and changed that config profile to disable guest user. Guess what? It just sits there pending for all 100+ machines...

LukeMason
New Contributor III

@a.holley - I've got a bit of a clunky workflow going that seems to be working. Here's what we're doing:

To start with, I'm sure there's a few different ways to handle the scoping. We've got extension attributes setup to watch the 4 ARD fields, which is helpful for us. Also, we're using this script for our upgrade process: https://github.com/kc9wwh/macOSUpgrade

  1. To start off, I cloned my Login Window profile and changed the copy to disable the guest user.
  2. I then added 2 lines into the upgrade script (before the installer download kicks off - I used line 331) which drops a flag into ARD field 3 (in my case I'm using "CatalinaGuest" as my flag) and then runs a recon.
## Set flag in ARD field 3 to disable guest user
/usr/bin/defaults write /Library/Preferences/com.apple.RemoteDesktop Text3 "CatalinaGuest"

## Recon to update profiles
/usr/local/jamf/bin/jamf recon
  1. I've created a smart group that looks for that flag and another smart group that is "all clients below 10.15.4".
  2. The first smart group (with the flag) is excluded from my original Login Window profile (which enables the Guest account) and is scoped to the copy profile (which disables Guest).
  3. I then created another policy (recurring check-in) which is also scoped to the flagged smart group but excludes the "all clients below 10.15.4" group. This policy runs a script which removes the flag from ARD 3 and then runs another recon (which scopes the computer out of the copy profile and back into the original profile).
#!/bin/bash

/usr/bin/defaults delete /Library/Preferences/com.apple.RemoteDesktop Text3

/usr/local/jamf/bin/jamf recon

exit

This is a confusing mess and I'm not very good at explaining sometimes. If you want any help or additional details, please don't hesitate to reach out.