Home > Casper, FileVault 2, Scripting > Hiding an FileVault 2-enabled admin user with Casper

Hiding an FileVault 2-enabled admin user with Casper

February 22, 2012 Leave a comment Go to comments

As mentioned in a prior post, it’s beneficial for Mac admins in a number of Mac environments to hide the IT administrator account so that it can’t be deleted or altered by other users on those Macs. One way you can hide the account is to create it using a UID that’s lower than 500.

However, when encrypting Macs with FileVault 2, an account needs to have a UID higher than 500 to be enabled to unlock the FileVault 2 encrypted drive. Unfortunately, that means that the account is now “visible” to the users that the Mac admin wants to hide it from.

Thanks to work by Allen Golbig, it looks like there’s an answer to this problem for Casper users. See below the jump for the procedure.

First, create the user account that you want to (eventually) add as an hidden admin user. For this example, we’ll set up a user called fv2test by running the following command:

sudo jamf createAccount -username “fv2test” -realname “FV2Test” -password “password” -home “/private/var/fv2test” -admin


This will create a fv2test user account with a UID higher than 500, but whose home folder is stored in /private/var.

Screen Shot 2012-02-22 at 1.52.53 PM

Screen Shot 2012-02-22 at 1.53.02 PM

Next, we’ll need to encrypt the Mac and enable the fv2test user.

Screen Shot 2012-02-22 at 1.55.38 PM

On the Casper server side, we’ll need to set up a smart group to detect that the Mac has been encrypted. If you’re running Casper 8.31 or higher, you can use Casper’s built-in inventory option for FileVault 2 encryption.

Screen Shot 2011-10-23 at 11.18.30 AM

Screen Shot 2011-10-23 at 11.19.16 AM

Alternatively, you can use the Extension Attribute that I’ve written and made available here.

Once the smart group has been set up, set up a script that checks for the “visible” admin user account and gives it a sub-500 UID:

—–

#!/bin/sh

adminID=`dscl . -read /Users/fv2test UniqueID | awk '{print $2}'`

if [ $adminID -gt "500" ];then
dscl . -change /Users/fv2test UniqueID $adminID 101
chown -R fv2test /var/fv2test
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
else
echo "UniqueID is below 500"
fi


—–

Next, set up a policy that’s run on machines entering the encrypted Mac smart group.

Screen Shot 2012-02-22 at 2.18.13 PM

Screen Shot 2012-02-22 at 2.18.19 PM

Screen Shot 2012-02-22 at 2.18.24 PM

Once it’s all together, your FV 2-enabled user will be hidden automatically by your Casper server when it checks in.

Screen Shot 2012-02-22 at 2.32.37 PM

Screen Shot 2012-02-22 at 2.33.29 PM

Your user is now hidden in the OS, but it will still show up at the FileVault 2 pre-boot login screen.

Screen Shot 2012-02-22 at 1.56.53 PM

Screen Shot 2012-02-22 at 1.57.05 PM

Categories: Casper, FileVault 2, Scripting
  1. Clif H
    September 28, 2012 at 1:45 pm
    Reply

    Rich, do you know of any way to hide FV users from the pre-boot screen? Assuming no as no way for just user/pass fields but figured if anyone knew it would be you.

    • rtrouton
      September 28, 2012 at 1:47 pm
      Reply

      No, there is currently no way to hide an FileVault 2-enabled account’s icon from being displayed at the FileVault 2 pre-boot login screen.

      • Peter Trondsen
        January 23, 2018 at 5:25 pm

        Rich, is that still the case, no way to hide a FileVault-2 enabled user from the preboot screen?

  1. No trackbacks yet.

Leave a comment