Jamf Nation Community

ahopkins · ‎08-24-2014

I built an image for staff computers. We updated all our student computers to Mavericks, I wanted to build a staff image as well. I know I can do target mode imaging, and in the advance tab: "Show the OSX Setup Assistant after Restart"

Question: The image still has the admin user that I used to create the first image. Is there a way I can hide that from staff? I just want their user to to show up when they start up the computer.

adamcodega · ‎08-24-2014

You could look into ways of hiding the admin user created during imaging, but I create my images using AutoDMG. (Nice writeup here) You can drag and drop PKGs to install along with OS X (Printer drivers, other scripts, etc) and AutoDMG will also download all updates before it creates the image. Using this utility you also don't need to create an image by physically installing OS X onto a computer and then imaging it.

Unless you use CreateUserPkg or create a user in Casper Imaging, there won't be a user on the machine when you image it. When I image a computer the local user is created through Casper Imaging, when the computer is enrolled in JSS it also gets the hidden management user.

pcamdm1 · ‎08-24-2014

I make my images with AutoDMG as well and image with Deploy Studio (it's a bit more granular in functionality for what we do) I install the quick add package built using Casper Recon to install at first boot. It automatically creates and hides the admin account as well as ensures SSH is enabled.

ahopkins · ‎08-24-2014

I have not heard of this program, What i've done is just set up an image as to how I want it to look, run, etc. Then use Casper Composer and capture the image. That has worked so far, the teacher's image is really the same as the students, its just set up differently as to the log in.

I was hoping for a script or something in Casper I could just used to do this.

pcamdm1 · ‎08-24-2014

If you use Casper Image, then the settings to do what you wish are there as well.

Note: AutoDMG allows you to make a modular image directly from an OS X installer. It is much, much faster.

ahopkins · ‎08-24-2014

I have to look into that. We refreshed 420 macbooks and 160 new Macbooks, plus anther 35 iMacs yet to come. So far we have only used Casper Image.

So would I image from a couple of stations like I did in Casper?

calumhunter · ‎08-24-2014

do look at using autodmg, never booted disk images are the way to go. it will make changes to your workflow much much faster and less error prone.

to make the setup assistant appear you can just delete the apple setup done file

rm /var/db/.AppleSetupDone

to remove the admin account you have created

sudo /usr/bin/dscl . -delete "/Users/username"

and

rm -rf /Users/username

where username is the name of your admin account
that should get you somewhere to what your after.

But strongly recommend using AutoDMG modular workflows. - Check out the PSU mac admins conferences videos and the MacSysAdmin conference videos

stevewood · ‎08-25-2014

@ahopkins I don't believe your actual question has been fully answered yet:

Question: The image still has the admin user that I used to create the first image. Is there a way I can hide that from staff? I just want their user to to show up when they start up the computer.

If you want to remove the admin user from the system, then definitely follow what @calumhunter wrote in the post above and that will get rid of the admin user. However, if you want to simply leave the user on the system and hide them from the login window, you can do that by simply using the following:

defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add YOURADMINUSER

That will hide the admin user from the loginwindow, but will NOT hide them from the Users preference pane. To do that the user's UID will need to be below 500. You can either change the UID of the admin user, or you can delete the account and re-create using the jamf verb to do so.

Change UID:

dscl . change /Users/<YOURADMINUSER> UniqueID <CURRENTID> <SUB499ID>
chown -R <YOURADMINUSER>:staff <ADMINUSERHOMEFOLDER>

CAUTION: you will need to make sure that there are no users at the sub-499 ID you change the admin user to. To get a list of users and their ID, you can use this command:

dscl . list /Users UniqueID

However, there is a better way to handle this. Use the jamf verb to delete the current admin user account and re-create as a hidden user:

jamf deleteAccount -username <YOURADMINACCOUNT> -deleteHomeDirectory
jamf createAccount -username <YOURADMINACCOUNT> -realname <REALNAME> -password <PASSWORD> -home <HOMELOCATION> -admin -hiddenUser

If you are concerned about passing the password in the script, you can do this as a $4 variable in the JSS, or you can pass a password hash instead using the -passhash flag. You can get all of the options for the jamf verb using:

jamf help createAccount

As an example, if I was going to pass the password for a new admin user (named admin) as $4 from a policy in the JSS, my command might look like this:

jamf createAccount -username admin -realname Admin -password $4 -home /private/var/admin -admin -hiddenUser

Hope that helps answer your question some more.

ahopkins · ‎08-26-2014

Thanks! that answers a lot... and shows how much more I have to learn!

ahopkins · ‎08-28-2014

GOT IT TO WORK!

Made a script with 2 lines of code, and it did the trick! (THANK YOU JAMF SUPPORT!)

Had to check what the UniqueID of the admin user was in terminal: sudo dscl . -list /Users UniqueID

Mine was 501, so in the JSS I placed these two lines of terminal commands:

script:

dscl . -change /Users/<username> UniqueID 501 400 (This changes the UniqueID to 400)
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES (This will hide that account)

So I placed that in a policy, and it worked! Staff computers do not have an admin user visible, and I used the "Other" log in to log in as an admin. So cool!

Jamf Nation Community

Showing the OS X Setup Assistant after restart