In this blog post, we will learn to create a local administrator account on macOS devices using Intune admin center. A local admin user on a Mac can manage other users, install applications, and change macOS settings.
To find the local user accounts on a Mac device. Open Settings > Users & Groups. We would be using a Shell script to create a local admin account. For demonstration purpose, we will create a local admin account called CloudInfraAdmin, you can change the name of the local admin account in the script to match your requirement.
A shell script is a text file containing a series of UNIX commands. It starts with the character #! followed by a reference to the shell with which the script should be executed. For instance, #!/bin/sh specifies that the script should be run using the Bourne shell.
For newer macOS devices (Catalina and later) the default shell configured is Zsh (Z shell) and for older Mac devices (Mojave and earlier), the default shell is bash.
About Shell script
Contents
Shell Scripts to Create Local Admin Account on Mac
There are two ways to create a local admin account on a Mac. You can either use dscl (Directory Service command line utility) or sysadminctl command.
Here’s a shell script provided by Microsoft which utilizes sysadminctl command. createLocalAdminAccount.sh. You need to make few changes in the script like adminaccountname, adminaccountfullname etc. and then deploy it using Intune.
There is another shell script which utilizes dscl commands, it can also be used to create a local admin account on a Mac. You can download the script from my GitHub repository, createLocalAdmin.sh – GitHub. Go through the Readme file and modify the script according to your requirements.
You can use any of the above shell scripts to create a local admin account on Mac. For demonstration purpose, I will be using the script stored in my GitHub repo.
Please note, If you change PrimaryGroup ID to 80 in the shell script, it will create a standard user account instead of an administrator account.
Want to create a standard user account instead of Administrator account?
createLocalAdmin.sh
#!/bin/sh accountname=cloudinfraadmin password="C0mputer@2020" dscl . -create /Users/$accountname dscl . -create /Users/$accountname UserShell /bin/bash dscl . -create /Users/$accountname RealName "CloudInfra Admin Account" dscl . -create /Users/$accountname UniqueID "2001" dscl . -create /Users/$accountname PrimaryGroupID 20 dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname dscl . -passwd /Users/$accountname $password dscl . -create /Users/$accountname hint "computer" dscl . -append /Groups/admin GroupMembership $accountname
Deploy createLocalAdmin.sh Shell script
After you have modified the script and updated the admin account name, password etc. you can deploy it via Intune. Let’s check the steps.
- Sign in to the Intune admin center > Devices > macOS.
- Click on Shell scripts under macOS policies.
- Click on + Add to Add the script for deployment.
- Basics: Provide a Name and description of this deployment.
- Script settings: Browse to createLocalAdmin.sh script file.
- Run script as signed-in user: No
- Hide script notifications on devices: Yes
- Script frequency: Every 15 minutes (While currently testing on a test macOS device, I’ve set the script frequency to 15 minutes. Once the test completes successfully, you can change the script frequency to every day or every week).
- Number of times to retry if script fails : 3
- Assignments: Click on Add group to add an Entra security group containing macOS devices.
- Review + add: Review the deployment and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitor Deployment Progress
To monitor app deployment, access the Intune admin center. Navigate to Devices > macOS > Shell scripts. Click on a shell script to check its status, then go to the Overview page to view the shell script deployment status. To check the deployment status on a per-device or per-user basis, select Device status or User status under the Monitor section.
End User Experience
Go to Settings > Users & Groups to confirm whether the local admin account has been successfully created. If you can’t find the local admin account, try rebooting your Mac device once and then check again or initiate a manual sync.
As shown in the below screenshot, local admin account cloudinfraadmin, as per the shell script, has been created successfully. Right-click on the account > Advanced Options to check more details about this account.
In the Advanced Options pop-up, you will find the following user properties:
- User: This is the display name of the user.
- UserID: This is the user’s unique identifier, which we have set in the script.
- Group: Default group staff.
- Account Name: User account name.
- Full name: The user’s full name as set in the RealName parameter of dscl command.
- Login shell: This user’s default shell is /bin/bash. You can click on the dropdown menu next to it and choose from options such as /bin/tcsh, /bin/sh, /bin/csh, /bin/zsh, or /bin/ksh.
- Home directory: This is the NFSHomeDirectory parameter configured in the script. As shown in the screenshot below, it is automatically configured to /users/cloudinfraadmin, which is based on the account name.
- We had also configured a password hint in the shell script. Below screenshot confirms that the password hint is also set successfully for this user.
macOS Intune deployment troubleshooting
If you encounter problems deploying the application, check the IntuneMDMDaemon*.log and IntuneMDMAgent*.log files for more information. For guidance on locating these files on a macOS device, refer to my previous blog post titled How To Collect Intune Logs From a MacOS Device.
FAQs
Find the Home Directory Local admin account
To locate the Home directory path of a local admin user, navigate to Settings > Users & Groups. Right-click on the user, select Advanced Options, and check the Home directory location value.
Once you have obtained the Home directory path of the user, you can proceed to access the user’s home directory by following these steps.
- Finder > Go > Go to Folder…
- Type the path /users/cloudinfraadmin.
- Double-click on the searched path to open the home directory.
- As shown in the below screenshot, the home directory has been successfully created with the default folders. It’s important to note that the home directory is generated for the user when initially signing in on this Mac device. You will find below folders created under the user’s home directory:
- Desktop
- Documents
- Downloads
- Movies
- Music
- Pictures
- Public
Hide a Local Admin User on the Mac Login Screen
If you wish to prevent the user account from appearing on the Mac login screen, you can modify the shell script to include the following line of code and deploy it to create a hidden user account.
dscl . -create /Users/$accountname IsHidden 1
Show Hidden Users using macOS Terminal
When you hide a user account on macOS, it won’t appear on the Mac Login Window or in Settings > Users & Groups. To locate the hidden user, you can utilize the Directory Service cache utility, dscacheutil.
I’ve created a hidden user account named cloudinfraadmin1. To search for it using the Mac terminal, you can use the command: dscacheutil -q user -a name cloudinfraadmin1. Replace cloudinfraadmin1 with the hidden username you intend to search for.
Conclusion
In this blog post, we’ve learned to create a local administrator account on a Mac device using Intune. It’s important to note that changing the PrimaryGroup ID to 80 in the shell script will create a standard user account instead of an administrator account.
Hi!
macOS Intune – Beginner here 🙂
I already have a script running through Intune for creating a local admin account.
I would like to add the enterprise logo as profile picture.
– where do I have to store that picture?
– does that picture have to be copied separately or do I have to make a Intune package including script + picture?
Thank You for the help!
You will need to copy profile picture somewhere on the device and provide that location in dscl command to apply profile picture.
– Store it in Azure blob or a secure storage which is accessible from mac device.
– Use a command something like: cd ~/library/desktop; curl -O https://azureblogstoragepublicURL/profilepic.jpg
– Provide the location in dscl command to point it to this profile picture for the user. For example: dscl . -create /Users/$accountname picture “~/library/desktop/profilepic.jpg”
You don’t need to keep the profile picture in external storage after it has been downloaded on Mac, you can delete it.
Is it a good idea to have a password here in clear text? Any safer way possible?
Hello.
I’m also wondering if there is a better way of handling the password than it being displayed in plain text? Or even to auto generate a password so its unique for each device, but then how to have this saved for IT usage (ie LAPS)?
Lastly, wondering about limitations of creating a user account via script when Filevault is enabled?
im getting an error with intune : passwd : DS error eDs auth passwordQuality CheckFailed.
the Password i set is 15 length
Lowercase
Uppercase
Numbers
and Randomized symbols (!#$)
what can trigger this error ?
Im getting the same error as Gilli
mostikely you have 2 or more consecutive identical characters
Hello, nice one. We already have this in place but now comes the pro-situation:
How to change the admin password from time to time without running show administration on every machine?