Welcome to the Panopto Community

Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.

Recommended fix for the mk_hidden_user.sh script in the macOS installer package.

Richard SmithRichard Smith Tyro
edited March 2023 in Feature Requests

The existing script triggers the security prompt because it is using outdated methods of working with the dscl command.

I'd like to suggest the remove user bit be skipped completely, as that will always trigger the security prompt, and the majority of the -append's be replaced by -create's. Below is what I believe an updated version should look like, based on a conversation I had with the creator of the mkuser script on GitHub, while trying to provide an external workaround, for automatic installation of Panopto Recorder on macOS in an enterprise environment.

#!/bin/sh

set -e

pick_uid()

{

  # pick an unused UID in the 401-499 range

  new_uid=401

  found=$(dscl . -search /Users UniqueID $new_uid | wc -l)

  while [[ found -gt 0 && new_uid -lt 500 ]]

    do

      new_uid=$(expr $new_uid + 1)

      found=$(dscl . -search /Users UniqueID $new_uid | wc -l)

    done

  if [[ $found -gt 0 ]]

    then

      echo "Failed to find an unused UID in the range 401-499"

      exit 1

    fi

}

# parameter 1 is the username

username=$1

#parameter 2 is the desired home path

homefolder=$2

if [[ "$username" == "" || "$homefolder" == "" ]]

  then

    echo "Usage: mk_hidden_user.sh USERNAME HOMEFOLDER"

    exit 1

  fi

if [[ $(dscl . -search /Users name $username | wc -l) -eq 0 ]]

  then

    pick_uid

    echo "Creating $username ( $new_uid ) user..."

    sudo dscl . -create /Users/$username UniqueID $new_uid

    sudo dscl . -append /Users/$username AuthenticationAuthority ';DisabledTags;SecureToken'

    sudo dscl . -create /Users/$username PrimaryGroupID 1

    sudo dscl . -create /Users/$username NFSHomeDirectory $homefolder

    sudo dscl . -create /Users/$username UserShell /sbin/nologin

    sudo dscl . -passwd /Users/$username this_password_is_disabled

  fi

if [[ ! -e $homefolder ]]

  then

    echo "Creating $homefolder"

    sudo mkdir $homefolder

    sudo chown $username $homefolder

    sudo chmod 755 $homefolder

  fi

# Mark the user as disabled

echo "Disabling $username via dscl..."

sudo dscl . -append /Users/$username AuthenticationAuthority ";DisabledUser;"

# Hide all sub-500 UID users from the login window

echo "Hiding all sub-500 UID users..."

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

# Also hide the user specifically (belt & suspenders)

echo "Hiding $username from login window..."

sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add $username

sudo dscl . -create /Users/$username dsAttrTypeNative:IsHidden 1

Tagged:
3
Up Down
3 votes

Active · Last Updated

Comments

  • Richard SmithRichard Smith Tyro
    edited March 2023

    In short, I've had a script that creates the user account, before installing Panopto for years, that doesn't trigger the Security Prompt as a workaround, and it was overdue being reported that the issue could be fixed in the installer package.

Sign In or Register to comment.