Is it possible to create a Local Administrator user when using Profile Manager to push out configuration settings

Uhm, have you checked under Settings > Managed macOS Administrator Account and Check "Create manager macOS administrator account" under device groups? Here you can specifiy fullname, accountname, password and some other settings. Wouldnt this allow you to create local macOS admins thru profile manager,

No, not with Profile Manager.

How are you currently deploying your enterprise macs? As institutionally imaged or as BYOD devices? If imaged, then the image should contain a consistent local admin account. If the image also enables Apple Remote Desktop or SSH, you have a method of mass controlling and managing the devices. If BYOD style, then you are out of luck as the end user is the only one with the keys to the device.

You might want to take a look at JAMF's Casper Suite. Once devices are enrolled you have the ability to create accounts (however the common method is to create a management account on enrollment). If you are deploying with a BYOD approach, you should also look into Apple's DEP program (https://deploy.apple.com) as DEP plus JAMF (or other MDMs) is a very powerful tool for light to zero touch deployment of systems.

Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

Sure. It works with iOS and OS X. And you need to prove you are a legal entity and must have a DUNs number. Enrollment can take a few days. The basic way this works is as follows:

1: Enroll in DEP identifying yourself as a legal business entity that has the rights to enrolled hardware. Set up your accounts and your users. I recommend starting a fresh Apple ID to associate with the DEP program. Do not use one that is assigned to a person or that has assets purchased with it.

2: Setup an MDM solution (anything from Apple's own Profile Manager to Bushel, to AirWatch, to JAMF)

3: Purchase Apple hardware from Apple direct or from DEP authorized resellers. Do not buy from retail channel. If you have a relationship with an Apple Retail Store you must engage with the business team. Retail purchases can not be included.

4: Once the purchases are made, the device's serial numbers will appear in the Apple DEP portal, linked to your organization.

5: Log into the DEP portal and assign the devices to your MDM(s) (yes, multiple MDM servers are supported)

6: Log into your MDM. You will need to set up the MDM using the token from the DEP site but that is trivial

7: You will see your devices. Simply scope the devices to receive policy/payload/etc.

From the end user perspective, the process is really rather simple. As long as the device is assigned to an MDM, the end user can deploy her own machine. She can unbox, startup and start to fill out the setup assistant. Choose a language, a keyboard, and a network. The next panel will be to enroll the device into your MDM. The user will enter domain credentials and the unit will enroll in your MDM and receive whichever policies you've defined.

DEP is great with the light-touch/zero touch deployment where the end user is the deployment tech. The devices must be owned by the organization however, so a true BYOD model (devices owned by the user) and DEP do not work together.

Check out here for some more details. Excellent program in my opinion. Can help with reducing theft as the devices are locked to the organization and even on a reinstall the unit will prompt for enrollment.

http://www.apple.com/business/dep/

Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"