Skip to content

I suggest you ...

← Suggestions

Make macOS DEP-installed Administrator more configurable

First priority: the administrator account should be optional. I install my admin account via a signed package, and go out of my way to disable the simplemdm-created account.

If that's not possible, at least allow me to set the UID of the user to something <500 so it's more invisible to users.

2 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Gabe Purrenhage shared this idea  ·   ·  Report…  ·  Admin →
declined  ·  AdminEric McCann (Admin, SimpleMDM) responded  · 

The comments on this post have covered most of the points, but the main reason for closing this request is that Apple's MDM spec does not currently give us control over the UID of the auto-admin account. As others have noted, you can optionally hide the auto-admin account from other local users, or prevent it from being created entirely - these settings already exist and are available to all accounts.

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • AdminSimpleMDM (Admin, SimpleMDM) commented  ·   ·  Report

    The current Apple MDM protocol does not allow an MDM to set the UID or to disable both automatic admin account creation and interactive admin account creation. If you're looking for this level of control, your only option today is to achieve this with scripting.

    We'll keep an eye on this part of the MDM protocol and add functionality should it become available down the road.

  • Gabe Purrenhage commented  ·   ·  Report

    When you check "Hide account from local users" it still uses UID 501. If it were optional that would be my ideal solution, but it's only "optional" if you prompt the User to create an admin account. If the User creates a non-admin account, this checkbox is forced on.

    I don't want that. I want the User to create a user acount, and nothing else. If you're deciding that is not an option (as it's clearly not a technical requirement/limitation), just please then let me set the UID.

    We're an engineering company. When I use this managed computer, I _notice_ that I'm user 502, I _notice_ that there's an admin account that I don't want. My team will too.

  • Gabe Purrenhage commented  ·   ·  Report

    Nope, it's uid 501, which makes the User-created non-admin account 502. It's a quibble; I'd rather just not create the account at all.

  • Eric Holtam commented  ·   ·  Report

    Doesn't the "Hide account from local users" checkbox in the Enrollment DEP settings do just that?
    I don't use it so pardon if that's not accurate.

Suggestions

Categories

Feedback and Knowledge Base

(thinking…)