A local administrator account on a macOS device can manage other users, Install applications, and change macOS settings.
I recently discussed creating a local admin on Windows devices using Intune. I also covered an alternative method involving using Intune device remediations to create a local admin account on Windows. This is an essential requirement for configuring Windows LAPS.
In this blog post, we will learn about creating a local admin account on macOS devices. On a Mac, you can locate standard and administrator user accounts by navigating to Settings > Users & Groups. A standard user account will be labeled Standard next to its name, while the Admin label distinguishes an Administrator account. It’s important to note that the Guest user account is typically disabled by default.
For example, we will create a local admin account called CloudInfraAdmin. However, you can create a local admin account by providing your name.
To create the account called cloudInfraAdmin on macOS, we will use a shell script to deploy to the target devices to set up this account.
A shell script is a text file containing a series of UNIX commands. It starts with the character #! followed by a reference to the shell with which the script should be executed. For instance, #!/bin/sh specifies that the script should be run using the Bourne shell.
For newer macOS devices (Catalina and later) the default shell configured is Zsh (Z shell) and for older Mac devices (Mojave and earlier), the default shell is bash.
I will use the Directory Service command line utility (dscl) to create a local admin account on the macOS device. Below is the script code that will be used:
Table of Contents
STEP 1 – Create a Shell script
The initial step is creating a shell script using the code below. While I’ve explained the code line by line, you can also jump to the final script code (createLocalAdmin.sh) and copy it into a file, saving it with a .sh extension.
Script header (System shell)
#!/bin/sh
Modify accountname and password variables as per your requirement
accountname=cloudinfraAdmin password="C0mputer@2020"
Create a new user account
dscl . -create /Users/$accountname
Set the default shell for this user as /bin/bash
dscl . -create /Users/$accountname UserShell /bin/bash
Add full name or display name for this user
dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"
Provide a Unique ID for this user account
dscl . -create /Users/$accountname UniqueID "2001"
Set PrimaryGroup ID to 20 for admin accounts and 80 is for Standard accounts
dscl . -create /Users/$accountname PrimaryGroupID 20
Set the Home directory for the user
dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname
Set User account password
dscl . -passwd /Users/$accountname $password
Add the user to the admin group
dscl . -append /Groups/admin GroupMembership $accountname
Add the user’s profile picture (Optional)
dscl . -create /Users/$accountname picture “/profilepic.png”
Add a Password hint for the user (Optional)
dscl . -create /Users/$accountname hint “Provide Password hint”
Hide the user on the macOS login window (Optional)
dscl . -create /Users/$accountname IsHidden 1
Below is the complete script code. Please copy the code into a text file and save it as createLocalAdmin.sh file.
createLocalAdmin.sh [Final Script]
#!/bin/sh accountname=cloudinfraadmin password="C0mputer@2020" dscl . -create /Users/$accountname dscl . -create /Users/$accountname UserShell /bin/bash dscl . -create /Users/$accountname RealName "CloudInfra Admin Account" dscl . -create /Users/$accountname UniqueID "2001" dscl . -create /Users/$accountname PrimaryGroupID 20 dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname dscl . -passwd /Users/$accountname $password dscl . -create /Users/$accountname hint "computer" dscl . -append /Groups/admin GroupMembership $accountname
STEP 2 – Deploy the Shell script
The next step is to deploy the shell script createLocalAdmin.sh we created in the previous section. Our task is to create a local administrator account called cloudinfraAdmin on target macOS devices. Let’s check the steps:
- Sign in to the Intune admin center.
- Devices > macOS.
- Click on Shell scripts under macOS policies.
- Click on + Add to Add the script for deployment.
Basics
Provide a name and description of this deployment. Click on Next to proceed.
- Name: Create cloudinfraAdmin local administrator account
- Description: Provide a useful description.
Script settings
On the Upload script field, browse to createLocalAdmin.sh file.
- Run script as signed-in user: No
- Hide script notifications on devices: Yes
- Script frequency: Every 15 minutes (While currently testing on a test macOS device, I’ve set the script frequency to 15 minutes. Once the test completes successfully, you can change the script frequency to every day or every week).
- Number of times to retry if script fails : 3
Assignments
Click on Add group to add an Entra security group containing macOS devices.
Review + add
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitor Deployment Progress
To monitor app deployment, access the Intune admin center. Navigate to Devices > macOS > Shell scripts. Click on a shell script to check its status, then go to the Overview page to view the shell script deployment status. To check the deployment status on a per-device or per-user basis, select Device status or User status under the Monitor section.
End-user Experience
After rebooting your Mac, access Settings > Users & Groups to confirm whether the local admin account has been successfully created. If you can’t find the local admin account you set up using Intune, try rebooting your Mac device once and then checking again or Initiating manual sync.
The screenshot below shows that the CloudInfra Admin Account has been successfully created. It is labeled as Admin under the account name. To access more information about this user, right-click on the account and select Advanced Options.
In the Advanced Options pop-up, you will find the following user properties:
- User: This is the Display name of the user
- UserID: This is the user’s unique identifier, which we have set in the script.
- Group: Default group staff.
- Account Name: User Account name
- Full name: The user’s Full name as set in the RealName parameter of dscl command.
- Login shell: This user’s default shell is /bin/bash. You can click on the dropdown menu next to it and choose from options such as /bin/tcsh, /bin/sh, /bin/csh, /bin/zsh, or /bin/ksh.
- Home directory: This is the NFSHomeDirectory parameter configured in the script. As shown in the screenshot below, it is automatically configured to /users/cloudinfraadmin, which is based on the account name.
- The shell script has successfully set the password hint to computer. To reveal it, click on the question mark icon next to the password field.
macOS Intune deployment troubleshooting
If you encounter problems deploying the application, check the IntuneMDMDaemon*.log and IntuneMDMAgent*.log files for more information. For guidance on locating these files on a macOS device, refer to my previous blog post titled How To Collect Intune Logs From a MacOS Device.
FAQs
How to find the Home Directory of an Intune-created local admin account?
To locate the Home directory path of a local admin user, navigate to Settings > Users & Groups. Right-click on the user, select Advanced Options, and check the Home directory location value.
Once you have obtained the Home directory path of the user, you can proceed to access the user’s home directory by following these steps.
- Finder > Go > Go to Folder…
- Type the path /users/cloudinfraadmin.
- Double-click on the searched path to open the home directory.
- As shown in the below screenshot, the home directory has been successfully created with the default folders. It’s important to note that the home directory is generated for the user when initially signing in on this Mac device. You will find below folders created under the user’s home directory:
- Desktop
- Documents
- Downloads
- Movies
- Music
- Pictures
- Public
How to hide a local admin user on the Mac login window?
If you wish to prevent the user account from appearing on the Mac login window, you can include the following line of code in the shell script and deploy it to create a hidden user account.
dscl . -create /Users/$accountname IsHidden 1
How to show hidden users using macOS terminal?
When you hide a user account on macOS, it won’t appear on the Mac Login Window or in Settings > Users & Groups. To locate the hidden user, you can utilize the Directory Service cache utility, dscacheutil.
I’ve created a hidden user account named “cloudinfraadmin1.” To search for it using the Mac terminal, you can use the command: dscacheutil -q user -a name cloudinfraadmin1. Replace cloudinfraadmin1 with the hidden user name you intend to search for.
Conclusion
In this blog post, we’ve learned how to create a local administrator account on a Mac device while using Intune as your Mobile Device Management (MDM) service. It’s important to note that changing the PrimaryGroup ID to 80 in the shell script will create a standard user account instead of an administrator account.
Hi!
macOS Intune – Beginner here 🙂
I already have a script running through Intune for creating a local admin account.
I would like to add the enterprise logo as profile picture.
– where do I have to store that picture?
– does that picture have to be copied separately or do I have to make a Intune package including script + picture?
Thank You for the help!
You will need to copy profile picture somewhere on the device and provide that location in dscl command to apply profile picture.
– Store it in Azure blob or a secure storage which is accessible from mac device.
– Use a command something like: cd ~/library/desktop; curl -O https://azureblogstoragepublicURL/profilepic.jpg
– Provide the location in dscl command to point it to this profile picture for the user. For example: dscl . -create /Users/$accountname picture “~/library/desktop/profilepic.jpg”
You don’t need to keep the profile picture in external storage after it has been downloaded on Mac, you can delete it.
Is it a good idea to have a password here in clear text? Any safer way possible?
Hello.
I’m also wondering if there is a better way of handling the password than it being displayed in plain text? Or even to auto generate a password so its unique for each device, but then how to have this saved for IT usage (ie LAPS)?
Lastly, wondering about limitations of creating a user account via script when Filevault is enabled?
im getting an error with intune : passwd : DS error eDs auth passwordQuality CheckFailed.
the Password i set is 15 length
Lowercase
Uppercase
Numbers
and Randomized symbols (!#$)
what can trigger this error ?
Im getting the same error as Gilli