Create a Local Admin Account on MacOS using Intune

在本文中,我们将向您展示如何创建一个local admin account on macOS using Intune. With Intune, you can run a shell script to create an additional local admin account on macOS devices that can be useful for temporary IT admin purposes.

On a Mac, an administrator account can change system preferences that control how the Mac works and feels, install software, and perform various other tasks that standard user accounts cannot. You can use Intune to create a local administrator account on macOS devices in the same way that you can on Windows.

On a new Mac, the account you create and sign in to when you first set up your Mac becomes an administrator account. To create or edit user accounts, you’ll need to be logged in as an administrator. To set up an additional local admin account on multiple macOS devices, you can use MDM solutions such as Microsoft Intune. We will show you an easy way to create a local administrator account on macOS devices through Intune.

Tip: On macOS devices, you can enable the guest account via a shell script or the Intune settings catalog. Take a look at this useful guide that explains the steps toenable a guest account on macOS using Intune.

Also Read:Display Lock Screen Message for MacOS Users using Intune

Download CreateLocalAdminAccount.sh Script

Microsoft provides aCreateLocalAdminAccount.shshell script for creating a local admin account on macOS using Intune. You can download theCreateLocalAdminAccount.shshell script from theGitHub Shell Intune Samples.

This script creates a new local admin account for temporary IT admin purposes. The admin password is a super simplecipher + base64of themacOS设备序列号. When you run theCreateLocalAdminAccount.shshell script on macOS devices, it creates a local admin account with the name “Local Admin“. You can modify or change the account name by editing the script.

You can run shell scripts on macOS devices to extend device management capabilities in Intune. In one of our articles, we demonstrated the steps fordeploying shell scripts on macOS using Intune. Go through the guide if you are new to deploying a shell script on macOS devices in Intune.

Note: You can also configure a local administrator account on Mac using mobile device management (MDM) during automated device enrollment through Apple School Manager, Apple Business Manager or Apple Business Essentials.

Also Read:Enable Screen Sharing on MacOS using Intune

Prerequisites for creating a macOS local admin account with Intune

The following prerequisites are required to create a macOS local admin account using Intune:

• The macOS devices must be running version 11.0 or later.
• You mustenroll macOS devices in Intunebefore you run shell scripts.
• Ensure the macOS devices are online and are receiving policies from Intune.
• Modify the script based on your requirements before you apply it to macOS devices.
• Shell scripts begin with #! and must be in a valid location, such as#!/bin/shor#!/usr/bin/env zsh.

Also Read:Set MacOS Desktop Wallpaper using Intune

Create a Local Admin Account on MacOS using Intune

Let’s go through the steps to create a local admin account on macOS devices using Intune.

• Sign in to theMicrosoft Intune Admin Center.
• Navigate toDevices>macOSand selectShell Scripts.
• Click theAddbutton to add theCreateLocalAdminAccount.shshell script for macOS.

Enter a name and a description for the script on theBasicstab of the添加脚本page. This will make it easier for other administrators to identify what this script does.

For example, you can enter the following information for the macOS Shell script:

• Name: Create a local admin account on MacOS using Intune
• Description: The script creates a new local admin account on macOS devices.

ClickNext.

On theScript Settingstab, click on the folder icon to upload theCreateLocalAdminAccount.shshell script for macOS. You can view the script that has been uploaded to Intune, but you cannot edit or modify the script at this time.

Scroll down to configure the following script settings in the same window:

• Run the script as a signed-in user :No
• Hide script notifications on devices :Yes
• Script frequency :Every 30 minutes
• Number of times to retry if script fails :3

ClickNext.

On theAssignmentstab, select the Entra ID groups to assign the create local admin shell script. Select one or more user or device groups to whom you want to assign the script. The groups you select are shown in the list and will receive your script policy. ClickNext.

On theReview + Addtab, you see a summary of the settings you configured. SelectAddto save the script. When you selectAdd, the scriptCreateLocalAdminAccount.shis assigned to the macOS device or user groups you chose.

The shell script that you added to Intune now appears in the list of scripts under macOS category. If required, you can select and view the contents of macOS shell scripts after you upload them to Intune.

Manually Sync Intune Policies on macOS devices

After you assignCreateLocalAdminAccount.shto macOS devices, you must wait for the shell script policy to apply to the targeted groups. The macOS devices will receive the script when they check in with the Intune service. To accelerate the process, you canrunCheck Statusin the company portal on your Mac devicesto retrieve the latest policies from Intune.

Monitor macOS Create Local Admin Account Script in Intune

In the Intune admin center, you can monitor the create local admin account script that you assigned to macOS devices to find out how many of them received the script successfully.

You can monitor the run status of all assigned macOS scripts for users and devices by choosing one of the following reports in Intune:

• Shell Scripts>Create Local Admin Account Script>Device status.
• Shell Scripts>Create Local Admin Account Script>User status.

In the screenshot below, we see the Create Local Admin Account Script has been executed successfully on the macOS device. Should you encounter any script assignment errors, review theIntune logs on macOS devices.

Verify Local Admin Account on Mac

In this step, we will verify if theCreateLocalAdminAccount.shhas created a local admin account on our mac device. On a Mac computer, you can locate the local admin accounts using these steps:

• Sign in to your Mac device.
• LaunchSystem Settings>Users & Groups.
• You can find all local admin accounts, including guest accounts, right here.

From the screenshot below, we see a new Local Admin account appearing underUsers & Groups. This confirms that you can useCreateLocalAdminAccount.shto create a local admin account on macOS devices.

If you are logged-in as an administrator on your Mac, you can select the macOS Local Admin account and reset its password. This completes the tutorial for creating a local admin account on macOS devices using Microsoft Intune.