Posted on 02-14-2014 01:15 PM
Hello, I've been asked to push a script to select Macs that causes them to automatically login to the guest account.
I've got a working script (below) to write to the necessary keys. However I've run into a really weird case where System Preferences shows the guest account is enabled and selected for auto login, however when I reboot I land at the login screen. I'm testing on a MacBook Air 13" that I internet recover between tests.
Any Ideas?
printf "$appName $(date): Enabling guest account...
"
sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool true
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool true
printf "$appName $(date): Done.
"
printf "$appName $(date): Setting Guest account to auto-login
"
defaults write "/Library/Preferences/com.apple.loginwindow" GuestEnabled -bool true
defaults write "/Library/Preferences/com.apple.loginwindow" autoLoginUser "Guest"
chmod 644 "/Library/Preferences/com.apple.loginwindow.plist"
printf "$appName $(date): Done.
"
external image link
external image link
Solved! Go to Solution.
Posted on 06-10-2014 12:32 AM
We use "Guest Accounts" with our Library computers. We just send out a script to activate "Guest" and set login screen to just show Guest user. We don't want autologin because every user should get a fresh Guest account to work with. For which reason will you need the guest Account?
The script we use to enable "Guest":
#!/bin/bash
#Create Guest Account in the DS Local Node
dscl . -create /Users/Guest
dscl . -create /Users/Guest dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/Guest dsAttrTypeNative:_guest true
dscl . -create /Users/Guest dsAttrTypeNative:_writers_defaultLanguage Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_LinkedIdentity Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_UserCertificate Guest
dscl . -create /Users/Guest AuthenticationHint ''
dscl . -create /Users/Guest NFSHomeDirectory /Users/Guest
dscl . -passwd /Users/Guest ''
dscl . -create /Users/Guest Picture "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UserIcon.icns"
dscl . -create /Users/Guest PrimaryGroupID 201
dscl . -create /Users/Guest RealName "Guest User"
dscl . -create /Users/Guest RecordName Guest
dscl . -create /Users/Guest UniqueID 201
dscl . -create /Users/Guest UserShell /bin/bash
#Create Keychain item for Guest
security add-generic-password -a Guest -s com.apple.loginwindow.guest-account -D "application password" /Library/Keychains/System.keychain
#Enable Guest Account
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool TRUE
as well, you will need to make guest able to login
#!/bin/bash
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool true
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool true
Hope that helps a little bit.
Cheers!
Posted on 02-14-2014 02:16 PM
Do you have MCX/config profile that sets the username/password login box? That may be interfering.
Posted on 02-14-2014 02:56 PM
I have MDM profiles in production that enforces username/password and disabled the guest account. The end goal is to push this script to a group of systems that I've removed MDM from, however my lab system does not have any MDM/MCX. In fact my lab system has not been hooked to Casper or AD.
Posted on 06-09-2014 04:18 PM
Have you made any progress on this? I would be grateful if you might be able to share your eventual solution.
Posted on 06-10-2014 12:32 AM
We use "Guest Accounts" with our Library computers. We just send out a script to activate "Guest" and set login screen to just show Guest user. We don't want autologin because every user should get a fresh Guest account to work with. For which reason will you need the guest Account?
The script we use to enable "Guest":
#!/bin/bash
#Create Guest Account in the DS Local Node
dscl . -create /Users/Guest
dscl . -create /Users/Guest dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/Guest dsAttrTypeNative:_guest true
dscl . -create /Users/Guest dsAttrTypeNative:_writers_defaultLanguage Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_LinkedIdentity Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_UserCertificate Guest
dscl . -create /Users/Guest AuthenticationHint ''
dscl . -create /Users/Guest NFSHomeDirectory /Users/Guest
dscl . -passwd /Users/Guest ''
dscl . -create /Users/Guest Picture "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UserIcon.icns"
dscl . -create /Users/Guest PrimaryGroupID 201
dscl . -create /Users/Guest RealName "Guest User"
dscl . -create /Users/Guest RecordName Guest
dscl . -create /Users/Guest UniqueID 201
dscl . -create /Users/Guest UserShell /bin/bash
#Create Keychain item for Guest
security add-generic-password -a Guest -s com.apple.loginwindow.guest-account -D "application password" /Library/Keychains/System.keychain
#Enable Guest Account
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool TRUE
as well, you will need to make guest able to login
#!/bin/bash
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool true
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool true
Hope that helps a little bit.
Cheers!
Posted on 06-14-2014 11:10 PM
This is for non-bound laptops being used by primary school children - your solution would be just fine, perhaps I am automating too much.
If it matters, Rich Trouton (as always) has a unique solution I've considered as it gets around some interesting issues:
http://derflounder.wordpress.com/2013/12/29/creating-custom-guest-users-on-os-x/
Posted on 03-03-2015 06:55 AM
Creating the Guest User works fine. But now I'm having trouble with the keychain on my Guest User Account when I open up Safari. It says that the password has changed and I need to set a new password for keychain.
It works when I remove the following line: security add-generic-password -a Guest -s com.apple.loginwindow.guest-account -D "application password" /Library/Keychains/System.keychain
But then I need to login with password on my Guest User Account. When I hit Enter (no Password) it logs in.
Posted on 03-26-2015 10:03 AM
the solution I finally settled on combines the one fabsen83 mentioned and the one posted here: https://derflounder.wordpress.com/2013/12/29/creating-custom-guest-users-on-os-x/
it works well, however for 10.10, I'm having a keychain issue. For some reason a keychain is not being created for the new guest user which causes Safari to complain. This happens each time the guest user logs in since the account folder deletes itself on logout.
Posted on 01-07-2016 04:02 PM
We got around the keychain issue by... not creating a keychain for the account and allowing it to create itself. It's a guest account anyway it'll only get blown away anyhoo. This, of course, means that the guest account might not be able to auto-login but that's something we can live with. Code follows:
#!/bin/sh
# this script creates a guest account, ensures that it's visible at the login window and functional in all other ways.
# ensure that you've modified the english.lproj template folder to make the account look & feel as you prefer.
# ---------------------------------------------------------
# Set all Variables
# ---------------------------------------------------------
#----- Standards
SCRIPTNAME=$0
Result=$?
#----- Verbose error checking during execution
set -u
#----- Guest Account Variables
user=guest
GuestID="600"
#--- Set Logging
Log="/Library/Logs/YourCompany/"
if [ ! -d "${Log}" ];
then
mkdir $Log
chown root:wheel $Log
chmod 777 $Log
fi
exec >> "${Log}"/com.YourCompany.CreateGuestAccount.log 2>&1
#----------------------------------------------------------
# Timestamp
#----------------------------------------------------------
echo " "
echo "###################################"
echo "##### `date "+%A %m/%d/%Y %H:%M"`"
echo "###################################"
echo " "
#----------------------------------------------------------
# Script
#----------------------------------------------------------
# create guest account core attributes
dscl . -create /Users/$user
dscl . -create /Users/$user realname "${user}"
dscl . -create /Users/$user RecordName "${user}"
dscl . -create /Users/$user NFSHomeDirectory /Users/$user
dscl . -passwd /Users/$user ''
sleep 2
dscl . -create /Users/$user AuthenticationHint ''
dscl . -create /Users/$user UniqueID "${GuestID}"
dscl . -create /Users/$user PrimaryGroupID "${GuestID}"
dscl . -create /Users/$user shell /bin/bash
dscl . -create /Users/$user dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/$user dsAttrTypeNative:_guest true
dscl . -create /Users/$user dsAttrTypeNative:_writers_defaultLanguage "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_LinkedIdentity "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_UserCertificate "${user}"
echo "$user account has been created with the UID of $GuestID."
# Enable guest account to show @ login window
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool true
echo "$user account is now visible at login window."
# Enable guest account functionality
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool true
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool true
echo "$user account is now functional with core OS."
echo ""
echo "$user account setup is now complete."
exit 0
Posted on 08-10-2016 09:41 PM
There's a nifty solution to this that I found at the following blog: http://osxadmin.blogspot.com/2016/06/creating-custom-guest-users-on-os-x.html
You must create a password (any password) for the Guest account at the dscl . -psswd spot and then make the keychain accessible by all processes (-A) and account for password (-w)
The following would be the complete script, copied from fulm's post:
#!/bin/bash
#Create Guest Account in the DS Local Node
dscl . -create /Users/Guest
dscl . -create /Users/Guest dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/Guest dsAttrTypeNative:_guest true
dscl . -create /Users/Guest dsAttrTypeNative:_writers_defaultLanguage Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_LinkedIdentity Guest
dscl . -create /Users/Guest dsAttrTypeNative:_writers_UserCertificate Guest
dscl . -create /Users/Guest AuthenticationHint ''
dscl . -create /Users/Guest NFSHomeDirectory /Users/Guest
dscl . -passwd /Users/Guest 'Guest'
dscl . -create /Users/Guest Picture "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UserIcon.icns"
dscl . -create /Users/Guest PrimaryGroupID 201
dscl . -create /Users/Guest RealName "Guest User"
dscl . -create /Users/Guest RecordName Guest
dscl . -create /Users/Guest UniqueID 201
dscl . -create /Users/Guest UserShell /bin/bash
#Create Keychain item for Guest
security add-generic-password -a Guest -s com.apple.loginwindow.guest-account -A -w "Guest" -D "application password" /Library/Keychains/System.keychain
#Enable Guest Account
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool TRUE
Just make sure the two passwords match, and I think you need to make sure the password conforms with any PW requirements imposed.
Posted on 12-07-2016 02:40 PM
So I've tried the scripts here listed in this post, but I'm having an issue where the keychain is still popping up everytime we log into the guest account.
Here is the script we're currently using, are there any modification we can do to get the script to work without prompting the keychain issue everytime the guest account logs in?
#!/bin/sh
# this script creates a guest account, ensures that it's visible at the login window and functional in all other ways.
# ensure that you've modified the english.lproj template folder to make the account look & feel as you prefer.
# ---------------------------------------------------------
# Set all Variables
# ---------------------------------------------------------
#----- Standards
SCRIPTNAME=$0
Result=$?
#----- Verbose error checking during execution
set -u
#----- Guest Account Variables
user=guest
GuestID="600"
#--- Set Logging
Log="/Library/Logs/YourCompany/"
if [ ! -d "${Log}" ];
then
mkdir $Log
chown root:wheel $Log
chmod 777 $Log
fi
exec >> "${Log}"/com.YourCompany.CreateGuestAccount.log 2>&1
#----------------------------------------------------------
# Timestamp
#----------------------------------------------------------
echo " "
echo "###################################"
echo "##### `date "+%A %m/%d/%Y %H:%M"`"
echo "###################################"
echo " "
#----------------------------------------------------------
# Script
#----------------------------------------------------------
# create guest account core attributes
dscl . -create /Users/$user
dscl . -create /Users/$user realname "${user}"
dscl . -create /Users/$user RecordName "${user}"
dscl . -create /Users/$user NFSHomeDirectory /Users/$user
dscl . -passwd /Users/$user ''
sleep 2
dscl . -create /Users/$user AuthenticationHint ''
dscl . -create /Users/$user UniqueID "${GuestID}"
dscl . -create /Users/$user PrimaryGroupID "${GuestID}"
dscl . -create /Users/$user shell /bin/bash
dscl . -create /Users/$user dsAttrTypeNative:_defaultLanguage en
dscl . -create /Users/$user dsAttrTypeNative:_guest true
dscl . -create /Users/$user dsAttrTypeNative:_writers_defaultLanguage "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_LinkedIdentity "${user}"
dscl . -create /Users/$user dsAttrTypeNative:_writers_UserCertificate "${user}"
echo "$user account has been created with the UID of $GuestID."
# Enable guest account to show @ login window
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool true
echo "$user account is now visible at login window."
# Enable guest account functionality
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool true
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool true
echo "$user account is now functional with core OS."
echo ""
echo "$user account setup is now complete."
exit 0
Posted on 05-14-2018 12:26 PM
So I've been playing around with the commands in these scripts and I'm actually trying to do the opposite and disable guest login access.
However I cannot seem to get it to work. Im testing by clicking the checkbox in users and groups to "Allow guests to log in to this computer", and then running the commands:
defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false
defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool false
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false
But the checkmark still remains in place after running these. Even after a restart and or logout.
Any suggestions?
Gabe Shackney
Princeton Public Schools
Posted on 05-14-2018 12:38 PM
@gshackney You should take a look at a Configuration Profile with a Login Window payload for disabling Guest access.
Posted on 05-14-2018 12:53 PM
@sdagley I try to avoid profiles unless absolutely necessary since they can be more temperamental than an actual script to disable security features.
I did actually got the above commands to work. Now I'm looking for an extension attribute to show if guest log in is enabled or disabled.
The current one listed on jamfnation was posted in 2011 and does not function any longer. Looking for a script/extension attribute that will work with 10.12.
Gabe Shackney
Princeton Public Schools
Posted on 05-14-2018 01:05 PM
@gshackney While Configuration Profiles can be a pain, especially since the standard payloads may well change much more than you want/need, you can craft a Custom Settings payload that modifies just the setting(s) you want. If you're hoping to create a configuration that'll survive Apple's changes to macOS, you should find Configuration Profiles a more durable approach than a scripted defaults write
.
Posted on 05-14-2018 01:09 PM
@sdagley Thanks. Again profiles not my preference due to the way they apply and sometimes un apply. I need more concrete commands in this case. Thanks though again for the reply.
Still looking for an extension attribute to scan the machine and report if Guest login is enabled or disabled.
Gabe Shackney
Princeton Public Schools
Posted on 05-14-2018 01:10 PM
Can you post what you found from 2011 (or the link to it)?
Posted on 05-14-2018 01:22 PM
Sure!
Guest Log in Enabled Extension
Its also listed in the extension attribute templates in the JSS directly as well.
Gabe Shackney
Princeton Public Schools
Posted on 05-14-2018 01:56 PM
@gshackney This should give you a good start for what you want. Note that AFS was deprecated somewhere along the line so checking it will fail.
#!/bin/bash
# EA to report GuestAccess status
STATUS="Guest Access Enabled"
GUEST_LOGINWINDOW=$(defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled)
GUEST_AFS=0 # This pref doesn't exist in Sierra $(defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess)
GUEST_SMB=$(defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess)
if [ "$GUEST_LOGINWINDOW" == "0" ] && [ "$GUEST_AFS" == "0" ] && [ "$GUEST_SMB" == "0" ]; then
STATUS="Guest Access Disabled"
fi
echo "<result>$STATUS</result>"
Posted on 05-16-2018 11:48 AM
@gshackney Did that help?
Posted on 05-16-2018 11:51 AM
@sdagley Absolutely! Thanks! I'm watching the smart group that shows machines with guest login turned on, go in the downward direction, which is quite good. The new Extension attribute is working as expected. We should probably post this in the extension attributes section so they can update the one built into the JSS web client template and replace the old one.
Gabe Shackney
Princeton Public Schools