Create Administrative Account on MacOS at first boot with DEP?

SOLVED
rguthrie
Getting noticed

Create Administrative Account on MacOS at first boot with DEP?

Hello Community,

How do you create admin accounts on your DEP / supervised macOS devices at first boot?

 

Currently, with the Device Enrollment Program, we are able to initially authenticate our users and when they first boot they see the device is managed and they are able to create their normal user account... but I have not come across a good solution for creating a Managed Administrative Account at the point of first boot / enrollment.  

 

As I understand it, this is something that should go hand-in-hand with DEP, but I haven't ran across how to do this with Meraki. Does anyone out there have a solution for this?

 

note: we are nearly 100% remote workforce. We do not share an office or network. 

1 ACCEPTED SOLUTION
sshort
Building a reputation

@jared_f @rguthrie Welcome to Meraki + macOS High Sierra, lol

 

It took me about a month to come up with a solution, however I am in office so I realize this may not work for your remote team. Long story short: you're going to want to read up on a new security feature called secureToken. Apple does supports & provides MDM frameworks so that a vendor (like Meraki) can push user accounts to a Mac, however Meraki does not support this.

 

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

 

secureToken ensures that users are "known-good" and not maliciously created in an automated fashion, so they are able to access a FileVault encrypted disk. Past methods of creating a custom .pkg to create a user account will technically continue to work by creating the user account, but you will not be able to enable FileVault access for that account b/c it was created in an automated fashion outside of MDM. 

 

This is my current workflow:

 

1. An admin (or the user) goes through the normal macOS Setup Assistant to create their user. macOS issues this account a secureToken so that it can enable FileVault encryption

2. Meraki pushes a profile that enables a login item, so that on future reboots a script is run to create an additional admin account

3. I install a custom .pkg app using Systems Manager that doesn't create a user account, it just places a script (that will later create the account) in the file location that matches the file path of the login item in the profile you previously pushed

4. Reboot the Mac

5. The script is launched due to the login item, and the admin can then interact with the script to create the user account using the sysadminctl command

 

Unfortunately, until Meraki supports the MDM creation of user accounts the only 3 methods of gaining a user account with a secureToken are:

 

1. creating an account from the normal macOS Setup Assistant

2. manually creating an account from System Preferences

3. an interactive script in which the admin must enter credentials using the sysadminctl command

View solution in original post

4 REPLIES 4
jared_f
Kind of a big deal

You could use Create User PKG and make a local admin account. Then push that via Meraki to computers in scope. 

Find this helpful? Click the kudos button. Thanks!
sshort
Building a reputation

@jared_f @rguthrie Welcome to Meraki + macOS High Sierra, lol

 

It took me about a month to come up with a solution, however I am in office so I realize this may not work for your remote team. Long story short: you're going to want to read up on a new security feature called secureToken. Apple does supports & provides MDM frameworks so that a vendor (like Meraki) can push user accounts to a Mac, however Meraki does not support this.

 

https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

 

secureToken ensures that users are "known-good" and not maliciously created in an automated fashion, so they are able to access a FileVault encrypted disk. Past methods of creating a custom .pkg to create a user account will technically continue to work by creating the user account, but you will not be able to enable FileVault access for that account b/c it was created in an automated fashion outside of MDM. 

 

This is my current workflow:

 

1. An admin (or the user) goes through the normal macOS Setup Assistant to create their user. macOS issues this account a secureToken so that it can enable FileVault encryption

2. Meraki pushes a profile that enables a login item, so that on future reboots a script is run to create an additional admin account

3. I install a custom .pkg app using Systems Manager that doesn't create a user account, it just places a script (that will later create the account) in the file location that matches the file path of the login item in the profile you previously pushed

4. Reboot the Mac

5. The script is launched due to the login item, and the admin can then interact with the script to create the user account using the sysadminctl command

 

Unfortunately, until Meraki supports the MDM creation of user accounts the only 3 methods of gaining a user account with a secureToken are:

 

1. creating an account from the normal macOS Setup Assistant

2. manually creating an account from System Preferences

3. an interactive script in which the admin must enter credentials using the sysadminctl command

Thank you for this amazing response sshort.

I recently learned about secureToken and I was hoping that I had missed something in Meraki about making those admin accounts. 

Thanks jared_f. This gets us partway there 🙂
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels