![]()
We can create an array by getting a list of them using dscl and piping in grep to filter them and any other accounts out. It’s usually reserved for services that - if they become compromised - will do minimal damage to the rest of the system.ĭaemon – This user owns and runs system processes that typically run outside of the user session.Īll the other non-user accounts should be preceeded with an underscore ( _ ) to mark them as hidden. Nobody – Used to run system processes and restrict access to things that don’t need any special permissions. Intune will elevate to this account when it leverages its Intune Management Extension to run scripts and packages. This is a god-tier account that is disabled for direct login by default. There are several dozen hidden accounts on MacOS, but 3 are visibly located under the /User folder and it will be important to avoid making changes to them. Proceed at your own peril.įirst, we need to understand what user accounts MacOS has built-in and what they do. However, since I have not forced myself to use a machine extensively like this I don’t know what hidden consequences there might be. Yet Another Disclaimer: The very brief experiments I have done in my lab seemed OK and I did not notice any degradation in my ability to deploy applications or policies with Intune. append /Groups/admin GroupMembership $username Demoting All Other Users create /Users/$username UserShell /bin/bashĭscl. The final script will look something like this: #!/bin/zshĭscl. append /Groups/admin GroupMembership $username If you set the PrimaryGroupID to match the UniqueID, you can add the user to admins here.ĭscl. passwd /Users/$username $passwordĨ) Lastly (and optionally), we can add the user to any additional groups. create /Users/$username NFSHomeDirectory /Users/$usernameĭscl. create /Users/$username PrimaryGroupID 20ĭscl. This usually matches their Unique User ID, but in this case, we are adding them to the local admin group which is 20.ĭscl. create /Users/$username UniqueID "510"ĥ) Set the user’s primary group ID. In this case, I’ll use 510 as it is unlikely most machines have 9 users already.ĭscl. Be careful not to use a number that may already exist. These will start with 501 for the first user on MacOS and increment upwards. create /Users/$username RealName $usernameĤ) Set the Unique user ID number. create /Users/$username UserShell /bin/zshĭscl. Newer versions of MacOS use zsh, but you could use bash as well.ĭscl. We will use the Directory Service Command Line utility for each of these and more information on the available arguments can be found HERE.Ģ) Set the user’s default shell. ![]() The bulk of the work is simply creating directories and setting required attributes. WARNING: THIS POST INVOLVES PASSWORDS IN CLEAR TEXT AND NOT RECOMENDED FOR USE IN A PRODUCTION ENVIRONMENT! Creating an Admin AccountĬreating an account with a script in MacOS is actually fairly simple. Please use the correct tools for the job any time security is at stake. My intention here is to highlight that it’s possible and demonstrate a few system mechanics of MacOS in the process. #Mac os x shell script remove applications passwordNot being able to rotate the password behind the scenes where only authorized personnel can retrieve it is even worse. Having an account on every device with the same credentials is all-around bad practice. Niehaus has devoted a sizable chunk of his post to say: Just because you can, doesn’t mean you should. Before I do, however, I’m going to clearly restate what Mr. #Mac os x shell script remove applications windowsIn this post, I’m going to borrow a topic Michael Niehaus wrote for Windows ( You can use Intune to create a local admin account, but that doesn’t mean its a good idea) and show you how we can do the same for MacOS and demote all other accounts to Standard users at the same time. Without leveraging a 3rd party utility like JumpCloud or NoMaD (now JAMF Connect) synchronizing passwords on MacOS with a centralized identity provider has always been a pain point let alone leveraging a rotating local admin password similar to LAPS. In one of my previous posts, I discussed Intune for MacOS and How It’s Different where I highlighted that unlike other MDM providers Intune does not create a managed admin account on MacOS. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production. As the name suggests, these accounts are based on experiences I’ve had in my own lab. ![]() #Mac os x shell script remove applications how toDisclaimer: This blog ( and this post especially) is not intended to be advice on how to manage your environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |