Local Admin needed before User Account

k3vmo
Contributor II

My current environment requires a local admin account before the network user account is created. They had been doing it manually with a local admin and a mobile managed account based on the AD user.

I LOVE the idea of NoMad Login / Jamf Connect - however, utilizing Apple Business Manager - It seems I would still need to manually create the local admin on the system - then allow the end user to create their account via NoMad Login?

Or, am I overthinking this?

While enrolled in the MDM - I'd have 'admin' access connecting through the MDM.
What if the MDM can't reach the machine and I have to physically access it?

13 REPLIES 13

Nix4Life
Valued Contributor

have you tried:

  1. pycreateuserpkg

  2. a create a payload free pkg with sysadminctl user creation

  3. *Currently using ouset w/sysadminctl to automate the creation of said user on login

k3vmo
Contributor II

That sounds like the right approach. I initially started reading about that tool - however - could you please describe step 2 & 3 in more detail?

sshort
Valued Contributor

@k3vmo If you're using DEP you can create a PreStage that creates an additional local admin account for this purpose, and then skip the "normal" user account creation during Setup Assistant. My org does this and has the login screen set to show username & password fields vs just the username icons.

Nix4Life
Valued Contributor

Sure.
Create a script from the following ( making edits where needed):

#!/bin/sh
sudo sysadminctl -addUser youradminshortname -fullName "Your Admins Full Name" -password youradminspassword -home /Users/youradminshortname  -admin -shell /bin/bash -picture /path/to/picture

once you have the script you can do:

(2). use Rich's payload free pkg creator to create the package. upon installing the .pkg, the user will be created

or

(3). install outset. place script in applicable folder. create .pkg with composer. install. on login, user is created transparent to the person logging in.

Charles Edge's Blog sysadminctl

carlo_anselmi
Contributor III

@k3vmo Hello, does pycreateuserpkg create a user with secure token?
Last time I have tried (likely it was not the most current version) I could not make it (it was still with High Sierra)
Thank you!
Carlo

evan684
New Contributor II

jamf 10.9 should allow you to pre-deploy NoMAD login before other profiles run. Allowing you to create the first account with with NoMAD. Check out the NoMAD section of last JNUC keynote. They talk about it a bit.

k3vmo
Contributor II

Each system has an asset tag with a 6 digit number. The format [before I got here] was to create 123456admin <-- as the local admin name

I like the idea of NoMAD pre-deploy @evan684 said - I'll check that out. Seem I won't have any other option that manual interaction since the name isn't based on serial or any other hardware identifier.

@carlo.anselmi I actually don't know. pycreateuserpkg is new to me since the secure token. I hadn't tested it yet

PE2000
Contributor

@sshort

Question
How are you doing this on Mac OS Catalina? I am currently on jamf pro.

Many Thanks.

If you're using DEP you can create a PreStage that creates an additional local admin account for this purpose, and then skip the "normal" user account creation during Setup Assistant. My org does this and has the login screen set to show username & password fields vs just the username icons.

sshort
Valued Contributor

@PE2000 I'm actually making changes to that PreStage right now, lol. Yes this is working under Catalina. Look under PreStage Enrollments>Account Settings, and check the box for "Create a local administrator account before the Setup Assistant." Then click the Skip Account Creation button near the bottom.

The "Hide managed administrator account in Users & Groups" option is not referring to this account. That refers to the account you can make in the Jamf Pro settings under Management Settings>Global Management>User-initiated Enrollment>Platforms.
5d0f7943bfa44b008d08e0fe9989d752

PE2000
Contributor

@sshort

Thank you.

This setup will create local admin account and secure token will be pushed out by jamf?

Thank you!

spraguga
Contributor

@sshort @PE2000 @k3vmo I think I remember reading somewhere that Apple fixed this in a Catalina release, maybe 10.15.3 or .4? Has anyone tested without creating the local admin account with these later macOS versions?

spraguga
Contributor

I just tested with 10.15.4 and it appears to be working without having to create a local admin account now.

nikjamf
New Contributor III

Hello, is pre-stage enrolment will work on an existing enrolled system with non-DEP enrolment?