Create a local admin account on macOS using Intune

A local administrator account on a macOS device can manage other users, Install applications and change macOS settings. You can easily create an local administrator account on Intune managed / enrolled macOS device using Intune.

Recently I have written about creating a local admin user account on a Windows device using Intune by using device configuration profiles. Another alternative method was also discussed which used Intune device remediations to create a local admin account on Windows. Creating a local admin account on windows is a part of requirements for configuring Windows LAPS.

In this blog post, We will see the steps to create a local admin account on a macOS device. On a Mac device, you can find a standard and administrator user accounts under Settings > Users & Groups. A standard user account will have Standard under its name and Administrator account can be identified by Admin written under its name. By default Guest user account is disabled.

As an example, We are going to create a local admin account called CloudInfraAdmin. However, you can create a local admin account by providing any name you like.

For creating our example account cloudInfraAdmin on macOS, I will be creating a shell script and deploy it on target devices to create this account.

Shell script is a text file containing UNIX commands. A shell script begins with # and ! characters which are also called as shebang. After that you you need to provide a reference to shell, the script should be run with. For example; #!/bin/sh

For newer macOS devices (Catalina and later) the default shell configured is Zsh (Z shell) and for older Mac devices (Mojave and earlier), default shell is bash.

I will use Directory Service command line utility (dscl) to create local admin account on macOS device. Below is the script code which will be used.

Script header (System shell)

#!/bin/sh

Modify Accountname and password variables as per your requirement

accountname=cloudinfraAdmin
password="C0mputer@2020"

Create a new user account

dscl . -create /Users/$accountname

Set default shell for this user as /bin/bash

dscl . -create /Users/$accountname UserShell /bin/bash

Add full name or display name for this user

dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"

Provide a Unique ID for this user account

dscl . -create /Users/$accountname UniqueID "2001"

Set PrimaryGroup ID to 20 for admin accounts and 80 is for Standard accounts

dscl . -create /Users/$accountname PrimaryGroupID 20

Set Home directory for the user

dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname

Set User account password

dscl . -passwd /Users/$accountname $password

Add user to admin group

dscl . -append /Groups/admin GroupMembership $accountname

Add user’s profile picture (Optional)

dscl . -create /Users/$accountname picture “/profilepic.png”  

Add Password hint for the user (Optional)

dscl . -create /Users/$accountname hint “Provide Password hint” 

Hide user on the macOS login window (Optional)

dscl . -create /Users/$accountname IsHidden 1

createLocalAdmin.sh

#!/bin/sh
accountname=cloudinfraadmin
password="C0mputer@2020"
dscl . -create /Users/$accountname
dscl . -create /Users/$accountname UserShell /bin/bash
dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"
dscl . -create /Users/$accountname UniqueID "2001"
dscl . -create /Users/$accountname PrimaryGroupID 20
dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname
dscl . -passwd /Users/$accountname $password
dscl . -create /Users/$accountname hint "computer"
dscl . -append /Groups/admin GroupMembership $accountname

Deploy Shell script on macOS devices using Intune

Now the next step is to deploy the shell script createLocalAdmin.sh we created in the previous section of this blog post. Our end goal is to create a local administrator account called cloudinfraAdmin on target macOS devices. Let’s check the steps:

• Login on Microsoft Intune admin center
• Devices > macOS
• Click on Shell scripts under macOS policies
• Click on + Add to Add the script for deployment

Basics

Provide a Name and Description for this deployment. Click on Next to proceed.

• Name: Create cloudinfraAdmin local administrator account
• Description: This shell script will create a local admin account called cloudinfraAdmin on macOS devices

Script settings

Upload script by clicking on blue folder Icon and select createLocalAdmin.sh file.

• Run script as signed-in user: No
• Hide script notifications on devices : Yes
• Script frequency : Every 15 minutes (As I am currently testing this on a test macOS device, I have kept Script frequency as 15 minutes. But once the tested completes successfully, you can change the script frequency to Every 1 day or Every 1 week).
• Number of times to retry if script fails : 3

Assignments

I have created a dynamic Azure AD group to group all my organization’s macOS devices. Click on Add groups to add a group which contains only macOS devices. I have added Cloudinfra macOS Devices Azure AD group. Click on Next to proceed.

Review + add

Review the deployment and then click on Add button to deploy the shell script on targeted macOS devices.

Intune Policy Refresh Cycle

The Device will Sync / Check in to start the script execution process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on macOS device which will speed up the scripts download, execution process. You can also use Powershell to force initiate Intune refresh cycle.

Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the script on a test device then this can speed up your testing and can save some time.

Monitor Shell script deployment using Intune admin center

You can monitor the app deployment from Intune admin center. Go to Devices > macOS > shell scripts. Click on a shell script to monitor its status and then go to Overview page where you can find shell script deployment status.

To check the deployment status per device or user. Click on Device status or User status under Monitor.

End user Experience

After the reboot, Go to Settings > Users & Groups to confirm if local admin account has been created successfully. If you are unable to find the local admin account you have created using Intune, then reboot your Mac device once and check again

As you can see from below screenshot, CloudInfra Admin Account has been created and under the name of the account it shows as Admin. Right-click on the account and click on Advanced Options to check more information about this user.

On Advanced Options pop-up, You will find below user properties:

• User: This is the Display name of the user
• UserID: This is the unique Identifier of the user as we have set in the script.
• Group: Default group staff.
• Account Name: User Account name
• Full name: Full name of the user as set in the RealName parameter of dscl command.
• Login shell: Default shell for this user is set to /bin/bash, you can click on the drop down next to it and set it to /bin/tcsh, /bin/sh, /bin/csh, /bin/zsh, /bin/ksh.
• Home directory: This is the NFSHomeDirectory parameter we configured in the script. As you can see from below screenshot, its set to /users/cloudinfraadmin based on the account name.

As per the shell script, Password hint is also successfully set to “computer”. You can click on question mark next to password field to reveal password hint.

macOS Intune deployment Troubleshooting

If you face any issues with shell script deployment on Mac devices then you can refer to IntuneMDMDaemon*.log and IntuneMDMAgent*.log files. To find out the more information about how to locate these files on macOS device, you can refer to my other blog post: How To Collect Intune Logs From MacOS Device.

FAQs

How to locate Home Directory of local admin account created using Intune

You can find Home directory path of local admin user by going to Settings > Users & groups. Right-click on the user and then select Advanced Options... Check the Home directory location value. You can follow below steps to browse to the home directory of this user.

• Finder > Go > Go to Folder…
• Type the path /users/cloudinfraadmin
• Doble-click on the searched path to open home directory.

• As you can see that the home directory is successfully created with below default folders. Please note that Home directory will be created for the user when this user first sign in on this Mac device.
  • Desktop
  • Documents
  • Downloads
  • Movies
  • Music
  • Pictures
  • Public

How to hide local admin user from Mac login window

If you do not want the user account to show on Mac login window then you can add below line of code in the Shell script. and deploy it on the device to create a hidden user account.

dscl . -create /Users/$accountname IsHidden 1

How to show hidden users on macOS terminal

When you hide a user account from macOS, it does not show on Mac Login Window and also it does not show under Settings > Users & groups. You can use Directory Service cache utility dscacheutil to search for the hidden user.

I have created a hidden user account called cloudinfraadmin1 therefore to search it from Mac terminal I am using a command dscacheutil -q user -a name cloudinfraadmin1. Replace cloudinfraadmin1 with the account name of hidden user you want to search.

Conclusion

In this blog post, we have seen how to create a local administrator account on a Mac device when you are using Intune as your Mobile device management (MDM) service. Using the step by step instructions provided in this blog post, you can easily create a local admin account. If you change PrimaryGroup ID to 80, Instead of an administrator account, a standard user account will be created.

READ NEXT

• How To Set Desktop Wallpaper On MacOS Using Intune
• How To Enroll MacOS In Intune
• How To Deploy DMG Apps On MacOS Devices Using Intune
• How To Deploy PKG Apps On MacOS Devices Using Intune
• How To Force Intune Sync Manually From MacOS