Prestage Enrollment - localadmin account creation.

jgwatson
Contributor

We are currently setting up some student laptops, and we need to create two accounts for the laptop. One localadmin account - to manage the laptop, and one standard account for the student. We don't want the students to have admin rights.

What is the best way to do this?

We were concerned we would have errors with the localadmin account creation.

7 REPLIES 7

chrisx
New Contributor

If you wanna create it over jamf or other software deployment you could user the application:

  • createuserpkg

http://magervalp.github.io/CreateUserPkg/

cheers

EdLuo
Contributor

You can create an Admin account though the PreStage and then the additional student account by Policies, Local Accounts. Set the trigger to Enrollment Completes and scoping to the proper computers

stevevalle
Contributor III

Your local admin account gets setup from Casper during enrolment (hidden management account). You can also create an additional local admin account through DEP prestage enrolment (Account Settings tab)

We create a local admin account on student loan laptops via a policy (cached policy to ensure the user is still created if not on the network). The same could be done for a local non admin account.

jared_f
Valued Contributor

I second "createuserpkg" - it is also available in the Mac app store.

mike_paul
Contributor III

If you are using PreStage Enrollment via DEP, like the title of the post suggests, that functionality is built into the Account Settings payload and using other tools would likely create overlap and extra work.

The admin account specified within your User Initiated Enrollment quickadd package is shown there along with the ability to create an additional local admin account for use for techs if you wish to randomize the management account password.

Then you get to specify the account type of the local account created with the setup assistant and you can choose whether it is an admin account, standard account or bypass the entire account creation process if you are binding to a directory service during the PreStage.
3368f300f6534f509b3a6904f4b2863e

If you are not using a PreStage Enrollment with DEP enabled computers than createuserpkg or built in functionalities of the JSS and jamf binary can get you there easily.

mbrzezowski
New Contributor II

I was using this like mike.paul described, but now every time a computer goes through prestage it hangs and says it failed to connect to the MDM. If I remove the account payload of prestage, it goes through prestage (but has other issues because the accounts weren't created."

Anyone else seeing that problem and have a solution?

pueo
Contributor

Hello

@mbrzezowski I am experiencing part of the issues you are. For some reason during our Pre Stage enrolment our devices are prompt to create an account. You cannot chose if its a Standard or Admin account so I am not sure where the info is being pulled from.
I do have User Initiated Enrolment enabled and Pre Stage 'should' pull the admin account from User Initiated Enrolment. For whatever reason it does not. I have tried various tweaks to our Pre Stage and nothing works so far. I delete the device from Inventory each time I restore the default OS
The annoying thing is, this was working during the JumpStart (completed in 1st week of Jan).

Very Frustrating.

a.