Managing User Account Setup on macOS
When macOS devices are enrolled using Automated Enrollment, admins have the ability manage certain aspects of the user account creation process. These settings are located under the "DEP Settings" tab of the Automated Enrollment page once you have created an Automated Enrollment.
macOS Account Setup Settings: interactive user account creation
Prompt user to create an account
When this setting is disabled, the user will not see the "Create a computer account" step during Setup Assistant, so no user account will be created interactively.
Set the short name
Requires "Prompt user to create an account" to be enabled. When enabled, you may set the "Short Name" value for the user account being created interactively during Setup Assistant. This field supports custom attributes that can be populated when using LDAP or SAML authentication for device enrollments.
Set the full name
Requires "Prompt user to create an account" to be enabled. When enabled, you may set the "Full Name" value for the user account being created interactively during Setup Assistant. This field supports custom attributes that can be populated when using LDAP or SAML authentication for device enrollments.
Allow user to modify these fields
When enabled, the values specified for the Short Name and/or Full Name fields cannot be changed by the user during Setup Assistant.
Account Type
This allows you to control whether the account being created interactively during Setup Assistant is an admin account or a regular account.
macOS Account Setup Settings: automatic admin accounts
Automatically create an administrator account
When enabled, an admin account will be automatically created on the device during Setup Assistant.
Short Name
Sets the value of Short Name for the admin account that is automatically created.
Full Name
Sets the value of the Full Name for the admin account that is automatically created.
Hide Account from local users
When enabled, other user accounts on the Mac will not be able to see the auto-created admin account (on the login window, under System Preferences > Users & Groups, etc.).
Store admin password for device in SimpleMDM
When enabled, the password for the automatically created admin account will be stored on the Device Details page.
Automatically generate unique local admin password
When enabled, SimpleMDM will automatically generate and set a unique password value for each admin account created. This unique password will be stored on the Device Details page.
Retrieve, rotate and reset stored admin passwords
Retrieve Admin Password:
Admin passwords that are stored for devices can be retrieved via the Security section of the Device Details page for a device. Click "Reveal" to view the passwords stored.
Rotate Admin Password:
To rotate the existing admin password to another random value, click the "Rotate" icon next to the admin password field on the Device Details page.
Reset Admin Password:
To set a new admin password to a specific value, click the pencil icon next to the admin password field on the Device Details page. You will be prompted with a screen to enter a new admin password.
Other Notes:
- SimpleMDM is only able to retrieve/store admin passwords for Macs that are enrolled using Automated Enrollment with both "Automatically create an administrator account" AND "Store admin password for device in SimpleMDM" enabled.
- SimpleMDM is not able to retrieve admin passwords for non-automatically created accounts, nor can passwords be retrieved retroactively if "Store admin password for device in SimpleMDM" was not enabled during a device's enrollment. If the password for an eligible account is set or rotated later, it will be stored automatically.
- SimpleMDM is only able to set/rotate passwords for local admin accounts that are created automatically by MDM during Automated Enrollment. However, the existing password does not need to be stored for MDM to be able to set or rotate it.
