Hiding an FileVault 2-enabled admin user with Casper
As mentioned in a prior post, it’s beneficial for Mac admins in a number of Mac environments to hide the IT administrator account so that it can’t be deleted or altered by other users on those Macs. One way you can hide the account is to create it using a UID that’s lower than 500.
However, when encrypting Macs with FileVault 2, an account needs to have a UID higher than 500 to be enabled to unlock the FileVault 2 encrypted drive. Unfortunately, that means that the account is now “visible” to the users that the Mac admin wants to hide it from.
Thanks to work by Allen Golbig, it looks like there’s an answer to this problem for Casper users. See below the jump for the procedure.
First, create the user account that you want to (eventually) add as an hidden admin user. For this example, we’ll set up a user called fv2test by running the following command:
sudo jamf createAccount -username “fv2test” -realname “FV2Test” -password “password” -home “/private/var/fv2test” -admin
This will create a fv2test user account with a UID higher than 500, but whose home folder is stored in /private/var.
Next, we’ll need to encrypt the Mac and enable the fv2test user.
On the Casper server side, we’ll need to set up a smart group to detect that the Mac has been encrypted. If you’re running Casper 8.31 or higher, you can use Casper’s built-in inventory option for FileVault 2 encryption.
Alternatively, you can use the Extension Attribute that I’ve written and made available here.
Once the smart group has been set up, set up a script that checks for the “visible” admin user account and gives it a sub-500 UID:
—–
#!/bin/sh
adminID=`dscl . -read /Users/fv2test UniqueID | awk '{print $2}'`
if [ $adminID -gt "500" ];then
dscl . -change /Users/fv2test UniqueID $adminID 101
chown -R fv2test /var/fv2test
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
else
echo "UniqueID is below 500"
fi
—–
Next, set up a policy that’s run on machines entering the encrypted Mac smart group.
Once it’s all together, your FV 2-enabled user will be hidden automatically by your Casper server when it checks in.
Your user is now hidden in the OS, but it will still show up at the FileVault 2 pre-boot login screen.
Rich, do you know of any way to hide FV users from the pre-boot screen? Assuming no as no way for just user/pass fields but figured if anyone knew it would be you.
No, there is currently no way to hide an FileVault 2-enabled account’s icon from being displayed at the FileVault 2 pre-boot login screen.
Rich, is that still the case, no way to hide a FileVault-2 enabled user from the preboot screen?