msudhindra

Q: Is it possible to create a Local Administrator user when using Profile Manager to push out configuration settings

Hi,

 

We are exploring the use of OS X profile manager as a way to manage our Enterprise macs.

 

One of the requirements put forth by the team, is to create an Administrator user, as part of the OS X Profile that is pushed down to the client. The rationale is that this would be a way for the IT team to get in, if the user fubar'd their Mac

 

I did not see this anywhere within the Profile Manager configuration options and so am asking the people who use this as part of their everyday toolset, to enquire if such a option is indeed available.

 

Thanks and Regards,

Madan Sudhindra

Mac mini, OS X El Capitan (10.11.4)

Posted on Apr 21, 2016 12:40 PM

Close

Q: Is it possible to create a Local Administrator user when using Profile Manager to push out configuration settings

  • All replies
  • Helpful answers

  • by Strontium90,Solvedanswer

    Strontium90 Strontium90 Apr 21, 2016 1:29 PM in response to msudhindra
    Level 5 (4,077 points)
    Servers Enterprise
    Apr 21, 2016 1:29 PM in response to msudhindra

    No, not with Profile Manager. 

     

    How are you currently deploying your enterprise macs?  As institutionally imaged or as BYOD devices?  If imaged, then the image should contain a consistent local admin account.  If the image also enables Apple Remote Desktop or SSH, you have a method of mass controlling and managing the devices.  If BYOD style, then you are out of luck as the end user is the only one with the keys to the device.

     

    You might want to take a look at JAMF's Casper Suite.  Once devices are enrolled you have the ability to create accounts (however the common method is to create a management account on enrollment).  If you are deploying with a BYOD approach, you should also look into Apple's DEP program (https://deploy.apple.com) as DEP plus JAMF (or other MDMs) is a very powerful tool for light to zero touch deployment of systems.

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by msudhindra,

    msudhindra msudhindra Apr 22, 2016 11:06 AM in response to Strontium90
    Level 1 (4 points)
    Servers Enterprise
    Apr 22, 2016 11:06 AM in response to Strontium90

    Hi Reid,

     

    Thanks for the reply. Our devices are procured in more of a BYOD style, which eliminates the imaging option.

    Thanks for your suggestion on the JAMF Casper Suite. I will look into that.

     

    Can you shed some light on how Apple's DEP program works ?

     

    -Madan

  • by Strontium90,

    Strontium90 Strontium90 Apr 22, 2016 11:58 AM in response to msudhindra
    Level 5 (4,077 points)
    Servers Enterprise
    Apr 22, 2016 11:58 AM in response to msudhindra

    Sure.  It works with iOS and OS X.  And you need to prove you are a legal entity and must have a DUNs number.  Enrollment can take a few days.  The basic way this works is as follows:

     

    1:  Enroll in DEP identifying yourself as a legal business entity that has the rights to enrolled hardware.  Set up your accounts and your users.  I recommend starting a fresh Apple ID to associate with the DEP program.  Do not use one that is assigned to a person or that has assets purchased with it.

    2:  Setup an MDM solution (anything from Apple's own Profile Manager to Bushel, to AirWatch, to JAMF)

    3:  Purchase Apple hardware from Apple direct or from DEP authorized resellers.  Do not buy from retail channel.  If you have a relationship with an Apple Retail Store you must engage with the business team.  Retail purchases can not be included.

    4:  Once the purchases are made, the device's serial numbers will appear in the Apple DEP portal, linked to your organization. 

    5:  Log into the DEP portal and assign the devices to your MDM(s) (yes, multiple MDM servers are supported)

    6:  Log into your MDM.  You will need to set up the MDM using the token from the DEP site but that is trivial

    7:  You will see your devices.  Simply scope the devices to receive policy/payload/etc.

     

    From the end user perspective, the process is really rather simple.  As long as the device is assigned to an MDM, the end user can deploy her own machine.  She can unbox, startup and start to fill out the setup assistant.  Choose a language, a keyboard, and a network.  The next panel will be to enroll the device into your MDM.  The user will enter domain credentials and the unit will enroll in your MDM and receive whichever policies you've defined.

     

    DEP is great with the light-touch/zero touch deployment where the end user is the deployment tech.  The devices must be owned by the organization however, so a true BYOD model (devices owned by the user) and DEP do not work together.

     

    Check out here for some more details.  Excellent program in my opinion.  Can help with reducing theft as the devices are locked to the organization and even on a reinstall the unit will prompt for enrollment.

     

    http://www.apple.com/business/dep/

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"