Help

Local admin account not being created for non-DEP Macs

Ryan_A_GDX
New Contributor III

Posted on ‎04-06-2020 11:29 AM

We currently deploy around 380 Macs in our company, most of which were purchased through Apple DEP. However, some of the Macs still in circulation were purchased prior to the company enrolling in DEP and using Jamf.

When we re-image one of those older Macs and self enroll after setup, all of the settings, policies and profiles push to the Mac, except for the local admin account creation.

Therefore we have to manually create a new user named admin, however that user is now not managed by Jamf.

I know there is no way to get them into DEP proper, but is there anyway to get the Macs that are not enrolled in DEP to automatically create the admin account when self enrolling? When you look in the pre-stage enrollment, DEP macs show as completed enrollment, while the non-DEP are listed as assigned.

Labels:
0 Kudos
2 REPLIES 2

dan-snelson
Valued Contributor II

Posted on ‎04-06-2020 11:51 AM

@ryan.adams_Sema4

For our older Macs, we have a Smart Computer Group named "Local User Accounts: localadmin" with a single criterion:
Local User Accounts — has — localadmin

We then have a standard policy named "Local User Account Create: localadmin" scoped to all computers, excluding the "Local User Accounts: localadmin" Smart Group, which runs the following script (excerpt) and then updates inventory.

# Create admin account
/bin/mkdir -p /private/var/${adminAccount}
/usr/local/bin/jamf createAccount -username $adminAccount -realname $adminAccount -password "${adminPassword}" -home "/private/var/${adminAccount}" -admin -hiddenUser -suppressSetupAssistant
/usr/sbin/chown ${adminAccount} /private/var/${adminAccount}

# Confirm account has been created
adminAccountTest=$( /usr/bin/dscl . -read /Users/${adminAccount} | /usr/bin/grep "Error" )
if [[ "${adminAccountTest}" == *Error* ]]; then
    echo "${adminAccount} NOT created"
    exit 1
else
    echo "Created ${adminAccount}."
fi

Tribruin
Valued Contributor II

Posted on ‎04-06-2020 02:29 PM

I am kind of confused by what you are saying here. You should not be able to see your non-DEP Macs in your Prestage Enrollment. That is only for DEP enrolled Macs.

You can have Jamf create a local Admin using a script like posted above or use a the Local Account policy in Jamf to create that account. If you want to make sure it runs when you enroll non-DEP Macs, just create a smart group with the criteria "Enrolled by DEP" is "No" and scope the policy to that smart group.

If you have records of when and where you bought these older computers, you might be able to get them enrolled in ABM retroactively. If you bought from Apple Business or a VAR that participates in ABM enrollment, they should be able to add the serial numbers to ABM for you, back as far as purchases from 2012. But, if you bought them via retail (e.g Apple Store, Amazon, Best Buy), you won't be able to add those.

0 Kudos