Create Image with no local user (for easy FileVault2 Encryption)

Hi,

We're currently building our image for deployment to about 30 Macs, so we can manage them centralized with PMM. During our testing, we found two issues:
1. we don't want a local admin account. this account would have the same password on all our macs. We regard this a security issue as it can be brute forced or if it was leaked.
2. FileVault2 needs the password for every user on the Mac before it starts encrypting. This is by design - if it didn't have the passwort, that user would no longer be able to boot the Mac. Why Apple doesn't make use of TPM like Windows for unlocking the disk and let the login screen handle the user auth is beyond me. Then again, looking at the recent bug where you could just login as root if you tried too many times, maybe because their developers are so incompetent, this seems like a good idea.

So, how do you achieve that - especially considering that there's a Bug in High Sierra which prevents you from deleting the original user you've created during the initial setup.

Here's a step by step guide how we managed to do this (tested in OS X 10.13.3):
1. Add a second local Admin Account (via GUI)
2. Reboot into safe mode (by holding the Shift-Key during Reboot)
3. Login as the second Admin, delete the first user (via GUI), then Reboot (regularly)
4. Login as the second Admin. Join the Mac to the domain. Make sure that Domain Admins (or a specific domain user) are allowed to manage the mac. Also, DO NOT create mobile account
5. Reboot & Login as domain user with local admin privilidges
6. Remove the admin priviledges of the second local admin account via terminal (sudo dseditgroup -o edit -d SecondAdmin -t user admin)
7. Reboot & Login as domain user with local admin privilidges
8. Remove the second local (now no longer) admin account via terminal (sudo dscl . delete /Users/SecondAdmin; sudo rm -rf /Users/SecondAdmin)

Now, you're almost there as in there's no local user anymore. However, there is still a problem - your current system is domain joined. If you were to capture the image now, the "Join Domain" step in the task sequence unfortunatly doesn't quite do what you'd expect it to do. The newly deployed Mac would still be domain joined, but it does not create a new ADComputer Object with the NEW Hostname you've set previously with the "Set Host Name" step. This is because you can join a Mac to the Domain using a different ComputerName than the Mac's internal Computer Name. So, we continue ...

9. reboot for good measure & Login as domain user with local admin priviledges
10. (optional) sudo rm -rf /Users/DomainUserName
11. Unbind the Mac from the AD via GUI. This will seriously f*** up your Mac, because you are now logged on as a user that is no longer valid. Mine didn't even reboot properly anymore, as in I had to press the power button for 5 seconds.
12. Power on with alt (Option) Key pressed. Boot from network, capture the image.

The image on the mac is now broken by itself as there are no users left who could login. However, if you use it as a base for a task sequence which will join a domain and add some users of that domain to manage the mac, then this is not an issue.

With these settings, you can deploy a FileVault2 Configuration Baseline to the Mac. The first user who logs onto the Mac will see the popup that the disk needs to be encrypted. The only password FileVault2 asks for is the only user's password on the mac, which the user obviously has (he just used it to logon some seconds ago).

Hope this helps someone

 

Thank you for sharing