macOS Account Setup and Admin Passwords

Managing User Account Setup on macOS

When macOS devices are enrolled using Automated Enrollment, admins have the ability manage certain aspects of the user account creation process. These settings are located under the "DEP Settings" tab of the Automated Enrollment page once you have created an Automated Enrollment.

 

macos-account-setup.png

 

macOS Account Setup Settings: interactive user account creation

Prompt user to create an account

When this setting is disabled, the user will not see the "Create a computer account" step during Setup Assistant, so no user account will be created interactively.

Set the short name

Requires "Prompt user to create an account" to be enabled. When enabled, you may set the "Short Name" value for the user account being created interactively during Setup Assistant. This field supports custom attributes that can be populated when using LDAP or SAML authentication for device enrollments.

Set the full name

Requires "Prompt user to create an account" to be enabled. When enabled, you may set the "Full Name" value for the user account being created interactively during Setup Assistant. This field supports custom attributes that can be populated when using LDAP or SAML authentication for device enrollments.

Allow user to modify these fields

When enabled, the values specified for the Short Name and/or Full Name fields cannot be changed by the user during Setup Assistant.

Account Type

This allows you to control whether the account being created interactively during Setup Assistant is an admin account or a regular account.

 

macOS Account Setup Settings: automatic admin accounts

Automatically create an administrator account

When enabled, an admin account will be automatically created on the device during Setup Assistant.

Short Name

Sets the value of Short Name for the admin account that is automatically created.

Full Name

Sets the value of the Full Name for the admin account that is automatically created.

Hide Account from local users

When enabled, other user accounts on the Mac will not be able to see the auto-created admin account (on the login window, under System Preferences > Users & Groups, etc.).

Store admin password for device in SimpleMDM

When enabled, the password for the automatically created admin account will be stored on the Device Details page.

Automatically generate unique local admin password

When enabled, SimpleMDM will automatically generate and set a unique password value for each admin account created. This unique password will be stored on the Device Details page.

 

Retrieve, rotate and reset stored admin passwords

Retrieve Admin Password:

Admin passwords that are stored for devices can be retrieved via the Security section of the Device Details page for a device. Click "Reveal" to view the passwords stored.

admin-passwords.png

 

Rotate Admin Password:

To rotate the existing admin password to another random value, click the "Rotate" icon next to the admin password field on the Device Details page.

Reset Admin Password:

To set a new admin password to a specific value, click the pencil icon next to the admin password field on the Device Details page. You will be prompted with a screen to enter a new admin password.

 

Important Note: after the initial enrollment, admin passwords can only be reset or rotated if the auto-created local admin account is not hidden. If "Hide account from local users" is checked in the DEP Settings, SimpleMDM may not be able to accurately retrieve the necessary information in order to be able to rotate/reset the admin password. Additionally, auto-admin passwords created prior to this feature being added may not be able to be rotated.

 

Other Notes:

  • SimpleMDM is only able to retrieve/store admin passwords for Macs that are enrolled using Automated Enrollment with both "Automatically create an administrator account" AND "Store admin password for device in SimpleMDM" enabled.
  • SimpleMDM is not able to retrieve admin passwords for non-automatically created accounts, nor can passwords be retrieved retroactively if this setting was not enabled during a device's enrollment.

 

 

 

 

 

 

 

 

Still have a question or want to share what you have learned? Visit our Community to get help and collaborate with others.