Skip account creation + don't create additional local admin

myu
New Contributor III

In some of the Jamf videos I've looked at, it seems that in the past there was a way to NOT create an additional local admin account and still be able to skip account creation.

myu_0-1637910956897.png

Now with the latest version, it seems I have to select "Create a local administrator account before the Setup Assistant" first before it will allow me to tick "Skip Account Creation"

myu_1-1637910993199.png

 

myu_2-1637911006445.png

We do want to skip account creation but don't want to have to create an additional admin account with a static password across the fleet (even if it's possible to change the password across the fleet remotely en masse in case of a compromise). We do have the Management Account defined in User Initiated Enrollment (with a randomly generated password).

 

Is there a way of doing this?

 

The reason for that is we're going to use NoMAD Login AD to create the account.

6 REPLIES 6

geoff_widdowson
Contributor II

How exactly is this an additional Admin account? At the prestage there are no admin accounts or any account. You must have at least one admin account created when you first setup the Mac, otherwise no further accounts will ever be able to grant admin rights to another due to no account having the secure token. You can always remove this first admin account later once the admin account you want to use has been created.

myu
New Contributor III

@geoff_widdowson wrote:

How exactly is this an additional Admin account?

Well, the label on the check box does say "Create an ADDITIONAL local administrator account".

 


@geoff_widdowson wrote:

At the prestage there are no admin accounts or any account. You must have at least one admin account created when you first setup the Mac, otherwise no further accounts will ever be able to grant admin rights to another due to no account having the secure token. You can always remove this first admin account later once the admin account you want to use has been created.


Fair enough on the requirement to have at least one admin account, but maybe I (mis?)understood the requirement for me to fill up the Management Account field under User Initiated Enrollment to be because it is THE primary admin account. If I was to follow your logic that whatever "additional" Admin account I create with that checkbox is not really additional but a requirement, then why is it that I can uncheck it? What admin account exists on the machine if I don't tick that checkbox?

We can blame Jamf for the confussing here. The first part where you 

"Create a local administrator account before the Setup Assistant"

This allows you to enter the account details for both account name and passord. I've never not used this in pre-stage, so I don't know what happens if you don't use it.

 

The second part, I think should really just say create ANY additional account (at Setup Assistant). And this account is one that you don't give details in Jamf, as it is part of the setup assistant and will prompt for the user to create their own account. You pick if this is STANDARD or ADMIN. This option is needed if you are shipping devices to users, and trust DEP will work out of the box. When you select Skip Account creation, when the device is being setup whomever is turning it on will have to use the Admin account created in the first part. 

myu
New Contributor III

@geoff_widdowson wrote:

We can blame Jamf for the confussing here. The first part where you 

"Create a local administrator account before the Setup Assistant"

This allows you to enter the account details for both account name and passord. I've never not used this in pre-stage, so I don't know what happens if you don't use it.

If I don't tick that check box, the account created during Setup Assistant becomes the admin.


Right that makes sense, so it just acts like the default state of any out of the box Mac of making the first account created an admin. 

BBB_UMB
New Contributor II

you can send out a policy that creates a admin account on each computer and then you'll only set up a standard user upon set up