Jamf Nation Community

I have MDM profiles in production that enforces username/password and disabled the guest account. The end goal is to push this script to a group of systems that I've removed MDM from, however my lab system does not have any MDM/MCX. In fact my lab system has not been hooked to Casper or AD.

Have you made any progress on this? I would be grateful if you might be able to share your eventual solution.

This is for non-bound laptops being used by primary school children - your solution would be just fine, perhaps I am automating too much.

If it matters, Rich Trouton (as always) has a unique solution I've considered as it gets around some interesting issues:

http://derflounder.wordpress.com/2013/12/29/creating-custom-guest-users-on-os-x/

Creating the Guest User works fine. But now I'm having trouble with the keychain on my Guest User Account when I open up Safari. It says that the password has changed and I need to set a new password for keychain.

It works when I remove the following line: security add-generic-password -a Guest -s com.apple.loginwindow.guest-account -D "application password" /Library/Keychains/System.keychain

But then I need to login with password on my Guest User Account. When I hit Enter (no Password) it logs in.

the solution I finally settled on combines the one fabsen83 mentioned and the one posted here: https://derflounder.wordpress.com/2013/12/29/creating-custom-guest-users-on-os-x/

it works well, however for 10.10, I'm having a keychain issue. For some reason a keychain is not being created for the new guest user which causes Safari to complain. This happens each time the guest user logs in since the account folder deletes itself on logout.

We got around the keychain issue by... not creating a keychain for the account and allowing it to create itself. It's a guest account anyway it'll only get blown away anyhoo. This, of course, means that the guest account might not be able to auto-login but that's something we can live with. Code follows:

#!/bin/sh

# this script creates a guest account, ensures that it's visible at the login window and functional in all other ways. 
# ensure that you've modified the english.lproj template folder to make the account look & feel as you prefer.

# ---------------------------------------------------------
#   Set all Variables
# ---------------------------------------------------------

#----- Standards
SCRIPTNAME=$0
Result=$?

#----- Verbose error checking during execution
set -u

#----- Guest Account Variables
user=guest
GuestID="600"

#--- Set Logging
Log="/Library/Logs/YourCompany/"
if [ ! -d "${Log}" ];
then
    mkdir $Log
    chown root:wheel $Log
    chmod 777 $Log
fi
exec >> "${Log}"/com.YourCompany.CreateGuestAccount.log 2>&1

#----------------------------------------------------------
#  Timestamp
#----------------------------------------------------------
echo "                                   "
echo "###################################"
echo "##### `date "+%A %m/%d/%Y %H:%M"`"
echo "###################################"
echo "                                   "

#----------------------------------------------------------
#  Script
#----------------------------------------------------------

# create guest account core attributes
dscl . -create /Users/$user
dscl . -create /Users/$user realname "${user}"
dscl . -create /Users/$user RecordName "${user}"
dscl . -create /Users/$user NFSHomeDirectory /Users/$user
dscl . -passwd /Users/$user ''
sleep 2
dscl . -create /Users/$user AuthenticationHint ''
dscl . -create /Users/$user UniqueID "${GuestID}"
dscl . -create /Users/$user PrimaryGroupID "${GuestID}"
dscl . -create /Users/$user shell /bin/bash
dscl . -create /Users/$user dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/$user dsAttrTypeNative:_guest true
dscl . -create /Users/$user dsAttrTypeNative:_writers_defaultLanguage "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_LinkedIdentity "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_UserCertificate "${user}"
echo "$user account has been created with the UID of $GuestID."

# Enable guest account to show @ login window
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool true
echo "$user account is now visible at login window."

# Enable guest account functionality
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool true
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool true
echo "$user account is now functional with core OS."

echo ""
echo "$user account setup is now complete."

exit 0

There's a nifty solution to this that I found at the following blog: http://osxadmin.blogspot.com/2016/06/creating-custom-guest-users-on-os-x.html

You must create a password (any password) for the Guest account at the dscl . -psswd spot and then make the keychain accessible by all processes (-A) and account for password (-w)

The following would be the complete script, copied from fulm's post:

#!/bin/bash
#Create Guest Account in the DS Local Node
dscl . -create /Users/Guest
dscl . -create /Users/Guest dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/Guest dsAttrTypeNative:_guest true
dscl . -create /Users/Guest dsAttrTypeNative:_writers_defaultLanguage Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_LinkedIdentity Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_UserCertificate Guest
dscl . -create /Users/Guest AuthenticationHint ''
dscl . -create /Users/Guest NFSHomeDirectory /Users/Guest
dscl . -passwd /Users/Guest 'Guest'
dscl . -create /Users/Guest Picture "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UserIcon.icns"
dscl . -create /Users/Guest PrimaryGroupID 201
dscl . -create /Users/Guest RealName "Guest User"
dscl . -create /Users/Guest RecordName Guest
dscl . -create /Users/Guest UniqueID 201
dscl . -create /Users/Guest UserShell /bin/bash

#Create Keychain item  for Guest
security add-generic-password -a Guest -s com.apple.loginwindow.guest-account -A -w "Guest" -D "application password" /Library/Keychains/System.keychain

#Enable Guest Account
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool TRUE

Just make sure the two passwords match, and I think you need to make sure the password conforms with any PW requirements imposed.

So I've tried the scripts here listed in this post, but I'm having an issue where the keychain is still popping up everytime we log into the guest account.

Here is the script we're currently using, are there any modification we can do to get the script to work without prompting the keychain issue everytime the guest account logs in?

#!/bin/sh

# this script creates a guest account, ensures that it's visible at the login window and functional in all other ways. 
# ensure that you've modified the english.lproj template folder to make the account look & feel as you prefer.

# ---------------------------------------------------------
#   Set all Variables
# ---------------------------------------------------------

#----- Standards
SCRIPTNAME=$0
Result=$?

#----- Verbose error checking during execution
set -u

#----- Guest Account Variables
user=guest
GuestID="600"

#--- Set Logging
Log="/Library/Logs/YourCompany/"
if [ ! -d "${Log}" ];
then
    mkdir $Log
    chown root:wheel $Log
    chmod 777 $Log
fi
exec >> "${Log}"/com.YourCompany.CreateGuestAccount.log 2>&1

#----------------------------------------------------------
#  Timestamp
#----------------------------------------------------------
echo "                                   "
echo "###################################"
echo "##### `date "+%A %m/%d/%Y %H:%M"`"
echo "###################################"
echo "                                   "

#----------------------------------------------------------
#  Script
#----------------------------------------------------------

# create guest account core attributes
dscl . -create /Users/$user
dscl . -create /Users/$user realname "${user}"
dscl . -create /Users/$user RecordName "${user}"
dscl . -create /Users/$user NFSHomeDirectory /Users/$user
dscl . -passwd /Users/$user ''
sleep 2
dscl . -create /Users/$user AuthenticationHint ''
dscl . -create /Users/$user UniqueID "${GuestID}"
dscl . -create /Users/$user PrimaryGroupID "${GuestID}"
dscl . -create /Users/$user shell /bin/bash
dscl . -create /Users/$user dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/$user dsAttrTypeNative:_guest true
dscl . -create /Users/$user dsAttrTypeNative:_writers_defaultLanguage "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_LinkedIdentity "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_UserCertificate "${user}"
echo "$user account has been created with the UID of $GuestID."

# Enable guest account to show @ login window
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool true
echo "$user account is now visible at login window."

# Enable guest account functionality
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool true
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool true
echo "$user account is now functional with core OS."

echo ""
echo "$user account setup is now complete."

exit 0

So I've been playing around with the commands in these scripts and I'm actually trying to do the opposite and disable guest login access.
However I cannot seem to get it to work. Im testing by clicking the checkbox in users and groups to "Allow guests to log in to this computer", and then running the commands:

defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool false
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false

But the checkmark still remains in place after running these. Even after a restart and or logout.

Any suggestions?
Gabe Shackney
Princeton Public Schools

@gshackney You should take a look at a Configuration Profile with a Login Window payload for disabling Guest access.

@sdagley I try to avoid profiles unless absolutely necessary since they can be more temperamental than an actual script to disable security features.

I did actually got the above commands to work. Now I'm looking for an extension attribute to show if guest log in is enabled or disabled.
The current one listed on jamfnation was posted in 2011 and does not function any longer. Looking for a script/extension attribute that will work with 10.12.

Gabe Shackney
Princeton Public Schools

@gshackney While Configuration Profiles can be a pain, especially since the standard payloads may well change much more than you want/need, you can craft a Custom Settings payload that modifies just the setting(s) you want. If you're hoping to create a configuration that'll survive Apple's changes to macOS, you should find Configuration Profiles a more durable approach than a scripted defaults write.

@sdagley Thanks. Again profiles not my preference due to the way they apply and sometimes un apply. I need more concrete commands in this case. Thanks though again for the reply.

Still looking for an extension attribute to scan the machine and report if Guest login is enabled or disabled.

Gabe Shackney
Princeton Public Schools

Can you post what you found from 2011 (or the link to it)?

Sure!
Guest Log in Enabled Extension
Its also listed in the extension attribute templates in the JSS directly as well.
Gabe Shackney
Princeton Public Schools

@gshackney This should give you a good start for what you want. Note that AFS was deprecated somewhere along the line so checking it will fail.

#!/bin/bash

# EA to report GuestAccess status

STATUS="Guest Access Enabled"
GUEST_LOGINWINDOW=$(defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled)
GUEST_AFS=0 # This pref doesn't exist in Sierra $(defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess)
GUEST_SMB=$(defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess)

if [ "$GUEST_LOGINWINDOW" == "0" ] && [ "$GUEST_AFS" == "0" ] && [ "$GUEST_SMB" == "0" ]; then
    STATUS="Guest Access Disabled"
fi

echo "<result>$STATUS</result>"

@gshackney Did that help?

@sdagley Absolutely! Thanks! I'm watching the smart group that shows machines with guest login turned on, go in the downward direction, which is quite good. The new Extension attribute is working as expected. We should probably post this in the extension attributes section so they can update the one built into the JSS web client template and replace the old one.

Gabe Shackney
Princeton Public Schools