In doing some testing today I've uncovered a rather odd situation. In our environment, our computers flow in via DEP, through a prestage that creates a hidden local admin account. This is the same prestage we've always used since we started using JAMF.
It seems the correct location for a hidden admin account home is /private/var. I'm not sure if this is correct or not, but reading on the community I believe it to be correct. For a hidden admin account called JSSAdmin, you'd obviously have the home folder as /private/var/JSSAdmin.
This has not been my experience in the past. Up until I'd say Big Sur, our hidden admin account has always resided in the /Users directory. I noticed in doing some testing for Big Sur that the admin account had moved to /private/var. I assumed this was a change from Apple and moved on. Fast forward to today, and it seems like there's more going on. I have a machine I enrolled a month ago that has the admin account in /Users, and I have one I enrolled this week that has the admin account in private/var.
I wrote an extension attribute to check for the JSSAdmin folder in /private/var. In looking at reporting based off that EA, I cannot find a common thread that would point out what's causing this. I cannot seem to pin it down to a specific time frame, macOS version, or JSS version. For instance I have one 8/19/21 that has the admin folder in /private/var and I have one I enrolled on 8/17/21 that has the admin home in /Users. I'm still waiting for all the machines to update their inventory before I'll have full reporting but it seems like the majority have the hidden local admin account in /Users and maybe 25% have it in /private/var.
One other interesting thing to point out. The machines that have the hidden local admin in /private/var also have a home folder for the hidden local admin in /Users but there's nothing in it but empty folders. If I create a new folder on the desktop, it only shows up in /private/var/JSSAdmin/desktop. Users/JSSAdmin/desktop remains empty.
Has anybody else run into this?
-Matt-
