Create User Accounts

By Vicky Munsell

Overview of the Create user accounts Parameter

The Create user accounts parameter can be used to create both Standard and Administrator user accounts. This parameter is especially useful as the user accounts can be created in this state from device setup without the need to change the account ID, location, or modify any permissions after the fact.

This Parameter will not duplicate or modify any existing accounts. Kandji will only create the user account if that user account does not currently exist. 

After completing the required fields of Full name, Short Name, and Password, you will have the option to select the path to the home folder and the account type. There is also a toggle to create a sub-500 user account.

Updating a user password in this parameter will not update a password for an existing local user.

What is a sub-500 hidden user account? 

A sub-500 Hidden Account is an account that is created with a UID (User ID) with a value of less than 500. Accounts with a UID lower than 500 are hidden in multiple parts of macOS. 

Accounts with a UID lower than 500:

  • Are not shown at the macOS List of Users login window by default.
  • Are hidden from the fast user switching menu.
  • Are not shown in System Preferences > Users and Groups

Why should I place a hidden account in /private/var?

When you place a User Account's home folder in /private/var, you ensure that the home folder is not in a place that another user might easily see, such as the /Users folder.

See this Apple Support Article for additional information. 

How can I log in with a Hidden Account at the macOS Login Window?

If your macOS devices leverage the List of Users Login Window style, then you may be unsure how to log in with a hidden user account. This can be done at the login window by pressing the following keys.

  1. Down arrow 
  2. Option + Return (Enter)
  3. A username and password field will appear where you can log in with your hidden user account.

For more detailed information on Parameters, see the Parameters section of our Knowledge Base.

How do I unlock a FileVault 2 encrypted Mac with a user created by the Parameter?

When the Kandji Agent creates a user based on the "Create user accounts" parameter, it does not automatically grant that user a secure token. This means that you cannot use these user credentials to unlock FileVault after a Mac restarts. You can enable a user for FileVault with the following steps: 

  1. In System Settings, navigate to Privacy & Security Settings > FileVault
  2. Click the Enable Users button
  3. Click the Enable User button for the user
  4. Enter the password, then click OK.