Create a Local Admin Account on MacOS using Intune

In this article, we will show you how to create a local admin account on macOS using Intune. With Intune, you can run a shell script to create an additional local admin account on macOS devices that can be useful for temporary IT admin purposes.

On a Mac, an administrator account can change system preferences that control how the Mac works and feels, install software, and perform various other tasks that standard user accounts cannot. You can use Intune to create a local administrator account on macOS devices in the same way that you can on Windows.

On a new Mac, the account you create and sign in to when you first set up your Mac becomes an administrator account. To create or edit user accounts, you’ll need to be logged in as an administrator. To set up an additional local admin account on multiple macOS devices, you can use MDM solutions such as Microsoft Intune. We will show you an easy way to create a local administrator account on macOS devices through Intune.

Tip: On macOS devices, you can enable the guest account via a shell script or the Intune settings catalog. Take a look at this useful guide that explains the steps to enable a guest account on macOS using Intune.

Also Read: Display Lock Screen Message for MacOS Users using Intune

Download CreateLocalAdminAccount.sh Script

Microsoft provides a CreateLocalAdminAccount.sh shell script for creating a local admin account on macOS using Intune. You can download the CreateLocalAdminAccount.sh shell script from the GitHub Shell Intune Samples.

This script creates a new local admin account for temporary IT admin purposes. The admin password is a super simple cipher + base64 of the macOS device serial number. When you run the CreateLocalAdminAccount.sh shell script on macOS devices, it creates a local admin account with the name “Local Admin“. You can modify or change the account name by editing the script.

Download CreateLocalAdminAccount.sh Script
Download CreateLocalAdminAccount.sh Script

You can run shell scripts on macOS devices to extend device management capabilities in Intune. In one of our articles, we demonstrated the steps for deploying shell scripts on macOS using Intune. Go through the guide if you are new to deploying a shell script on macOS devices in Intune.

Note: You can also configure a local administrator account on Mac using mobile device management (MDM) during automated device enrollment through Apple School Manager, Apple Business Manager or Apple Business Essentials.

Also Read: Enable Screen Sharing on MacOS using Intune

Prerequisites for creating a macOS local admin account with Intune

The following prerequisites are required to create a macOS local admin account using Intune:

  • The macOS devices must be running version 11.0 or later.
  • You must enroll macOS devices in Intune before you run shell scripts.
  • Ensure the macOS devices are online and are receiving policies from Intune.
  • Modify the script based on your requirements before you apply it to macOS devices.
  • Shell scripts begin with #! and must be in a valid location, such as #!/bin/sh or #!/usr/bin/env zsh.

Also Read: Set MacOS Desktop Wallpaper using Intune

Create a Local Admin Account on MacOS using Intune

Let’s go through the steps to create a local admin account on macOS devices using Intune.

  • Sign in to the Microsoft Intune Admin Center.
  • Navigate to Devices > macOS and select Shell Scripts.
  • Click the Add button to add the CreateLocalAdminAccount.sh shell script for macOS.
Create a Local Admin Account on MacOS using Intune
Create a Local Admin Account on MacOS using Intune

Enter a name and a description for the script on the Basics tab of the Add Script page. This will make it easier for other administrators to identify what this script does.

For example, you can enter the following information for the macOS Shell script:

  • Name: Create a local admin account on MacOS using Intune
  • Description: The script creates a new local admin account on macOS devices.

Click Next.

Create a Local Admin Account on MacOS using Intune
Create a Local Admin Account on MacOS using Intune

On the Script Settings tab, click on the folder icon to upload the CreateLocalAdminAccount.sh shell script for macOS. You can view the script that has been uploaded to Intune, but you cannot edit or modify the script at this time.

Create a Local Admin Account on MacOS using Intune
Create a Local Admin Account on MacOS using Intune

Scroll down to configure the following script settings in the same window:

  • Run the script as a signed-in user : No
  • Hide script notifications on devices : Yes
  • Script frequency : Every 30 minutes
  • Number of times to retry if script fails : 3

Click Next.

Create a Local Admin Account on MacOS using Intune
Create a Local Admin Account on MacOS using Intune

On the Assignments tab, select the Entra ID groups to assign the create local admin shell script. Select one or more user or device groups to whom you want to assign the script. The groups you select are shown in the list and will receive your script policy. Click Next.

Assign macOS Create Local Admin Script
Assign macOS Create Local Admin Script

On the Review + Add tab, you see a summary of the settings you configured. Select Add to save the script. When you select Add, the script CreateLocalAdminAccount.sh is assigned to the macOS device or user groups you chose.

Create macOS Local Admin Account in Intune
Create macOS Local Admin Account in Intune

The shell script that you added to Intune now appears in the list of scripts under macOS category. If required, you can select and view the contents of macOS shell scripts after you upload them to Intune.

Manually Sync Intune Policies on macOS devices

After you assign CreateLocalAdminAccount.sh to macOS devices, you must wait for the shell script policy to apply to the targeted groups. The macOS devices will receive the script when they check in with the Intune service. To accelerate the process, you can run Check Status in the company portal on your Mac devices to retrieve the latest policies from Intune.

Monitor macOS Create Local Admin Account Script in Intune

In the Intune admin center, you can monitor the create local admin account script that you assigned to macOS devices to find out how many of them received the script successfully.

You can monitor the run status of all assigned macOS scripts for users and devices by choosing one of the following reports in Intune:

  • Shell Scripts > Create Local Admin Account Script > Device status.
  • Shell Scripts > Create Local Admin Account Script > User status.

In the screenshot below, we see the Create Local Admin Account Script has been executed successfully on the macOS device. Should you encounter any script assignment errors, review the Intune logs on macOS devices.

Monitor macOS Create Local Admin Account Script in Intune
Monitor macOS Create Local Admin Account Script in Intune

Verify Local Admin Account on Mac

In this step, we will verify if the CreateLocalAdminAccount.sh has created a local admin account on our mac device. On a Mac computer, you can locate the local admin accounts using these steps:

  • Sign in to your Mac device.
  • Launch System Settings > Users & Groups.
  • You can find all local admin accounts, including guest accounts, right here.

From the screenshot below, we see a new Local Admin account appearing under Users & Groups. This confirms that you can use CreateLocalAdminAccount.sh to create a local admin account on macOS devices.

Verify Local Admin Account on Mac
Verify Local Admin Account on Mac

If you are logged-in as an administrator on your Mac, you can select the macOS Local Admin account and reset its password. This completes the tutorial for creating a local admin account on macOS devices using Microsoft Intune.

Verify Local Admin Account on Mac
Verify Local Admin Account on Mac

4 Comments

  1. Will this work if FileVault is enabled?

    1. Avatar photo Johnson T says:

      Yes, we tested it on our setup and it worked.

  2. I had tried this a few months ago via their scripting, but it just stuck on failed for all my machines – i couldn’t ever get it working correctly unfortunately.
    Glad you were able to have success!

Leave a Reply

Your email address will not be published. Required fields are marked *