fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Setup experience: Create and mange local user accounts on macOS

Open ddribeiro opened this issue 9 months ago • 2 comments

  • @noahtalerman: numa requested this because they want more control over how macOS user accounts are configured during Setup Assistant, including support for creating standard users, skipping account creation, or pre-creating a local admin account depending on the use case.

    • Zoom conference room Mac mini:

      • Admin creates generic "Zoom Amin" local account with a preset password.

    • Local account creation is skipped

    • Environment where end users are not admins:

      • Populate account info from IdP
      • Set account that gets created during Setup Assistant to be a standard user
      • Create hidden "break glass" admin account for IT to use

    • Environment where IdP authentication (Jamf Connect, Xcreds, etc.) is used

      • Skip account creation during setup

  • @noahtalerman: In the interim they could use a workaround that listens for the mdm_enrolled webhook and manually sends a custom AccountConfigured command, but this adds complexity and requires managing an external system to orchestrate timing.

  • @noahtalerman: Eventually they would like to configure AccountConfigured options directly in the Fleet UI (e.g., under Controls > OS settings > Setup experience) so Fleet sends a customized command automatically during the macOS enrollment process.

  • @allenhouchins: User requested this because they require end users to have standard users. They want the standard user's credentials (username\password) to be their IdP credentials. Here's how you can set this up in Jamf:

Image

Admins are able to define an account that gets created during the enrollment process. They will also have the options to configure the account for LAPS. Examples:

  • https://learn.jamf.com/en-US/bundle/technical-paper-laps-current/page/Local_Administrator_Password_Solution.html
  • https://github.com/joshua-d-miller/macOSLAPS

ddribeiro avatar Apr 07 '25 15:04 ddribeiro

I think this is a dupe of this: fleetdm/fleet#27571

allenhouchins avatar Apr 07 '25 17:04 allenhouchins

Gong snippet: Customer does not allow call recordings

Problem

As an IT admin managing macOS devices, I want to have control over the initial user account that gets created during the macOS Setup Assistant.

The AccountConfigured MDM command can specify behaviors that apply to the macOS Setup Assistant regarding account creation, including:

  • Creating a generic managed local admin account.
  • Creating the first user as a standard account (instead of an admin)
  • Skip account creation (useful in environments where an IdP authentication tool is used, like Xcreds or Jamf Connect)

Today, Fleet sends its own AccountConfigured command that populates and locks the account full name and username from the IdP authentication. This is not customizable by the end user, although they could send an additional AccountConfigured on their own if they wanted to use additional functionality.

What have you tried?

Today, I could build a workflow that listens to the activity webhook for an mdm_enrolled event and send a custom AccountConfiguration command using the Fleet API. However, to do that, I need to use external systems to orchestrate sending the commands at the correct time. Fleet will also send the built-in AccountConfigured command that I cannot customize.

Potential solutions

Fleet should offer admins the ability opt into and specify behaviors that are built into the AccountConfigured screen. This could be specified on a per-team basis.

This could live in the UI under the current Controls > OS Settings > Setup experience screen.

What is the expected workflow as a result of your proposal?

Examples: Zoom conference room Mac mini:

  • Admin creates generic "Zoom Amin" local account with a preset password.
  • Local account creation is skipped

Environment where end users are not admins:

  • Populate account info from IdP
  • Set account that gets created during Setup Assistant to be a standard user
  • Create hidden "break glass" admin account for IT to use

Environment where IdP authentication (Jamf Connect, Xcreds, etc.) is used

  • Skip account creation during setup

noahtalerman avatar Apr 07 '25 18:04 noahtalerman

Based on @nonpunctual @harrisonravazzolo @ddribeiro attempts at creating solutions for this (which is possible using Tines / Okta Workflows to inject an additional account configuration payload prior to device release in the macOS Setup Assistant during enrollment) we believe that it is too difficult for most customers to manage & maintain a custom solution for workflows that create user accounts. We now have customers & prospects (prospect-nishiyama, customer-beatrix) that have hard requirements around adding macOS user accounts. cc @noahtalerman @zayhanlon @marko-lisica @eugkuo

nonpunctual avatar May 23 '25 22:05 nonpunctual

Linked to Unthread ticket:

Conversation #7530

Sampfluger88 avatar Jul 29 '25 22:07 Sampfluger88