Category Archives: Macintosh
Now a while back we replaced our LANDesk solution with a new appliance at the time called KBOX (made by KACE who are now owned by Dell) and the major benefit to us was the support for Macs. LANDesk though officially supported Apple Macs, was quite weak and we couldn’t rely on it. Shame really as LANDesk for PCs was fantastic in my eyes!
Now the problem came a week before. Basically because of various acquisitions and no set standard for the local admin account on Macs, doing a mass roll-out of the new KBOX Agent to 200odd Macs was going to be quite a challenge. So I created a little script (works in Leopard and Tiger but I cannot confirm for Panther or Jaguar ) and packaged it using Package Maker on my Mac (This is part of the developer add-ins that come on the OS X discs)
sudo /usr/bin/dscl . -create /Users/macadmin
sudo /usr/bin/dscl . -create /Users/macadmin UserShell /bin/bash
sudo /usr/bin/dscl . -create /Users/macadmin RealName “macadmin“
sudo /usr/bin/dscl . -create /Users/macadmin UniqueID 550
sudo /usr/bin/dscl . -create /Users/macadmin PrimaryGroupID 20
sudo /usr/bin/dscl . -create /users/macadmin NFSHomeDirectory /Users/macadmin
sudo /usr/bin/dscl . -passwd /Users/macadmin password
sudo /usr/bin/dscl . -append /Groups/admin GroupMembership macadmin
sudo /usr/bin/dscl . -create /Users/macadmin picture “/Library/User Pictures/Sports/8ball.tif“
Now this creates a Mac admin account called….well macadmin! Now I’ll walk through what exactly this script does so you’re more aware and can customise to your own liking. I have labelled items you can customise for yourself in red.
“sudo /usr/bin/dscl . -create /Users/macadmin” will create a user with the short name for you called macadmin (If you are used to UNIX then you’ll know it is limited to 8characters but Macs doesnt care and let you put in whatever you want but for best practise stick to 8characters or below).
“sudo /usr/bin/dscl . -create /Users/macadmin UserShell /bin/bash” Tells OS X that whenever Terminal is used by the user its default shell will be /bin/bash. which is the default for Mac users so it would be best to leave this as it is.
“sudo /usr/bin/dscl . -create /Users/macadmin RealName “macadmin“” Makes the actual login name macadmin (you can also login as the short name too. So for me my short name is mightymd (because my name is longer than 8characters its simply mighty and then my initials) and my RealName is Mike Donaldson.)
“sudo /usr/bin/dscl . -create /Users/macadmin UniqueID 550” and “sudo /usr/bin/dscl . -create /Users/macadmin PrimaryGroupID 20” basically give the account a UniqueID (this is required and starts from 501 for the first account and then 502 for the second account….so I have chosen 550 because its doubtful you will have 49 other local accounts on your macs!) and the PrimaryGroupID is set to 20 by default so I have left that as is.
“sudo /usr/bin/dscl . -create /users/macadmin NFSHomeDirectory /Users/macadmin“ creates and sets the users profile to be saved in /Users/macadmin. Obviously if you call your user something else then it would be /Users/username.
“sudo /usr/bin/dscl . -passwd /Users/macadmin password” This will set the macadmin accounts password to password. So you can put in whatever you like for this. But you need to keep this script safe as the password is sitting there in clear text and is risky if everyone can access it.
“sudo /usr/bin/dscl . -append /Groups/admin GroupMembership macadmin” This adds the macadmin user to the admin GroupMembership.
“sudo /usr/bin/dscl . -create /Users/macadmin picture “/Library/User Pictures/Sports/8ball.tif“” This is basically just to give the account a specific login pic. I use the 8ball but you can pick whatever you like. Just take a look in “/Library/User Pictures” and choose your favourite and add it in.
Now you can run that via ARD or save this as a .sh file by using Text or Xcode (i prefer using Xcode just so I can verify my scripts) and then package it using Package Maker and you have your own .pkg file to deploy out whenever you are at the macs in question and bingo!
The next problem I came against was turning on VNC support on the Macs and setting a password for it. Below does this easily enough. It basically turns on VNC, give all local users full access, restarts the agent so the changes are in place and you can specify a password so that when you connect via UltraVNC/RealVNC or any other VNC product it will ask for a password first, so that no-one can just hop on to anyone elses mac without authorisation
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -restart -agent -menu -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw “password“
And then once you’ve got it all working……have a beer!