Hidden Local Admin Acccount

Ender-IT
New Contributor

Jamf Newbie here - we've deployed Jamf on our fleet of about 2.6K machines, for creating the Local IT Admin account we used a policy in the Jamf GUI that simply ran/runs during enrollment and check-ins to create this account, nothing else was configured and accounts were created ok.

Problem we are having is that users are complaning because of this second account showing on their computer, is there a way to hide it completely and still be able to access it for IT?

If so, is there an easy way to do it? considering almost 95% of all these machines already have this admin account created? Thank you.

1 ACCEPTED SOLUTION

Anonymous
Not applicable

As far as I know, there is no way to authorize a created (and hidden) user for FileVault, since the first user who sets up the Mac is always an administrator and all subsequent users must be authorized for FileVault by him. The password of the user to be authorized is required for this. If I am wrong and anyone has found a way, to do this, I would be very interested in the solution. We use macOS 12.x.

View solution in original post

9 REPLIES 9

obi-k
Valued Contributor III

You can run a postscript or something to hide your local admin account from the GUI. It'll still be available to you when you log in with the username/password.

 

https://support.apple.com/en-us/HT203998 

Ender-IT
New Contributor

I see, but is there a way to hide them both from users & groups in system preferences and also at login window?

obi-k
Valued Contributor III

Yes, that command should do both. (I mean you can still log in as an admin even tho it's hidden from log-in window.)

Test. You can put that one-line command in Jamf's payload "File & Processes."

Screen_Shot_2022-04-06_at_7_12_32_AM.png

 

jrippy
Contributor III

Another question to ask that I think is relevant here – Are you using FileVault encryption on your computers?  If so, that is a different login window from the standard macOS login window AND will be the only login window the user will see when they reboot if the FileVault password and macOS password match.

If that is the case, is there any way to hide the user from the FileVault login window?  I believe the answer to that is no unless you remove your admin user from having the ability to unlock the drive.

We do have filevault turned on but they go directly to the regular macos login window

As far as I am aware, that's not possible as the disk has to be unlocked on reboot.  Otherwise, what is the point of encryption, right?

jrippy
Contributor III

Hey @obi-k, I'm not wanting to knock your post, but can you provide some context on what information you were trying to convey?  Was it just to confirm you can't hide an account from FileVault?

Anonymous
Not applicable

As far as I know, there is no way to authorize a created (and hidden) user for FileVault, since the first user who sets up the Mac is always an administrator and all subsequent users must be authorized for FileVault by him. The password of the user to be authorized is required for this. If I am wrong and anyone has found a way, to do this, I would be very interested in the solution. We use macOS 12.x.