Managing User Account Setup on macOS
When macOS devices are enrolled using Automated Enrollment, admins have the ability manage certain aspects of the user account creation process. These settings are located under the "DEP Settings" tab of the Automated Enrollment page once you have created an Automated Enrollment.
macOS Account Setup Settings: interactive user account creation
Prompt user to create an account
When this setting is disabled, the user will not see the "Create a computer account" step during Setup Assistant, so no user account will be created interactively.
Set the short name
Requires "Prompt user to create an account" to be enabled. When enabled, you may set the "Short Name" value for the user account being created interactively during Setup Assistant. This field supports custom attributes that can be populated when using LDAP or SAML authentication for device enrollments.
Set the full name
Requires "Prompt user to create an account" to be enabled. When enabled, you may set the "Full Name" value for the user account being created interactively during Setup Assistant. This field supports custom attributes that can be populated when using LDAP or SAML authentication for device enrollments.
Allow user to modify these fields
When enabled, the values specified for the Short Name and/or Full Name fields cannot be changed by the user during Setup Assistant.
This allows you to control whether the account being created interactively during Setup Assistant is an admin account or a regular account.
macOS Account Setup Settings: automatic admin accounts
Automatically create an administrator account
When enabled, an admin account will be automatically created on the device during Setup Assistant.
Sets the value of Short Name for the admin account that is automatically created.
Sets the value of the Full Name for the admin account that is automatically created.
Hide Account from local users
When enabled, other user accounts on the Mac will not be able to see the auto-created admin account (on the login window, under System Preferences > Users & Groups, etc.).
Store admin password for device in SimpleMDM
When enabled, the password for the automatically created admin account will be stored on the Device Details page.
Automatically generate unique local admin password
When enabled, SimpleMDM will automatically generate and set a unique password value for each admin account created. This unique password will be stored on the Device Details page.
Retrieve, rotate and reset stored admin passwords
Retrieve Admin Password:
Admin passwords that are stored for devices can be retrieved via the Security section of the Device Details page for a device. Click "Reveal" to view the passwords stored.
Rotate Admin Password:
To rotate the existing admin password to another random value, click the "Rotate" icon next to the admin password field on the Device Details page.
Reset Admin Password:
To set a new admin password to a specific value, click the pencil icon next to the admin password field on the Device Details page. You will be prompted with a screen to enter a new admin password.
Important Note: after the initial enrollment, admin passwords can only be reset or rotated if the auto-created local admin account is not hidden. If "Hide account from local users" is checked in the DEP Settings, SimpleMDM may not be able to accurately retrieve the necessary information in order to be able to rotate/reset the admin password. Additionally, auto-admin passwords created prior to this feature being added may not be able to be rotated.
- SimpleMDM is only able to retrieve/store admin passwords for Macs that are enrolled using Automated Enrollment with both "Automatically create an administrator account" AND "Store admin password for device in SimpleMDM" enabled.
- SimpleMDM is not able to retrieve admin passwords for non-automatically created accounts, nor can passwords be retrieved retroactively if this setting was not enabled during a device's enrollment.