PCoIP MAC Agent: How to deploy AD Users to macOS agents for only with Mobile User accounts
Problem
The issue is that when a new user logs in for the first time, macOS throws up a series of dialog boxes asking for confirmation of various things such as privacy settings, Siri usage, etc. The macOS agent does not see/have access to these dialogs. If a new user is “pre-logged-in” via the console or VNC/ARD, those dialog boxes can be acknowledged and once that is done, connections via the agent work as expected.
The script modifies the template macOS uses to create new users and it also iterates its way through any existing local user accounts to make the same changes. The environment variables are held in the user’s profile. The script is two years old and referenced macOS 10.7, its now modified for macOS 11.6 since it has some additional dialogs over those in 10.7.
MacOS supports two forms of non-local account namely Network Users and Mobile Users. Network Users can only login when the Mac is online and can reach an external authentication server, eg. AD or LDAP. Mobile Users are network accounts that also have a local cache. This allows previously authenticated users to work on a Mac when it is offline, or connected to a different network.
If the Mobile User accounts was pre-created with matching AD usernames, those accounts are created using the script modified templates and consequently, AD users can successfully login via PCoIP without having to have been previously logged in by other means. Pre-creating the Mobile Users creates them a profile for the environment variables to be stored in.
So far there are ongoing investigations to setup the environment for Network Users. Network Users do not have a user profile created until they first login. Attempting to log a new Network User in via PCoIP fails because there is no profile. When a new Network User is logged in via the console/VNC, the profile is created (and matches the tweaked template) and thus now those accounts can connect via PCoIP.
Resolution
Starting in 10.7.2, Apple has added several pop-up windows which appear at the first login of a new account:
- Mac OS X 10.7.2: iCloud sign-in window
- OS X 10.10: Diagnostic agreement window
- macOS 10.12: Siri setup window
- macOS 10.13.0: Touch ID Setup window
- macOS 10.13.4: Data & Privacy information window
- macOS 10.14.0: Dark or Light Appearance window
- macOS 10.15.0: Activation Lock window
- macOS 10.15.0: Screentime window
Since having this appear may not be desirable in all Mac environments, it makes sense to be able to turn these pop-up windows off for new user accounts.
Apple is using ~/Library/Preferences/com.apple.SetupAssistant.plist to store the settings that indicate whether or not the various agreement processes have run. Building on work done by the folks behind DeployStudio, I've built a script that pre-sets those values for new and existing accounts on a particular Mac. In turn, that should stop the various pop-up messages from appearing on that Mac.
This script is also available as a payload-free package, available for download from the payload_free_package directory.
disable_apple_icloud_data_privacy_diagnostic_touch_id_siri_activation_lock_and_screentime_pop_ups.sh
#!/bin/bash
# Determine OS version
# Save current IFS state
OLDIFS=$IFS
IFS='.' read osvers_major osvers_minor osvers_dot_version <<< "$(/usr/bin/sw_vers -productVersion)"
# restore IFS to previous state
IFS=$OLDIFS
sw_vers=$(sw_vers -productVersion)
# Determine OS build number
sw_build=$(sw_vers -buildVersion)
# Checks first to see if the Mac is running 10.7.0 or higher.
# If so, the script checks the system default user template
# for the presence of the Library/Preferences directory. Once
# found, the iCloud, Data & Privacy, Diagnostic, Touch ID, Screentime
# Activation Lock and Siri pop-up settings are set to be disabled.
if [[ ( ${osvers_major} -eq 10 && ${osvers_minor} -ge 7 ) ]] | [[ ( ${osvers_major} -ge 11 ) ]]; then
for USER_TEMPLATE in "/System/Library/User Template"/*
do
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenBuddyBuildVersion "${sw_build}"
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeePrivacy -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeTrueTonePrivacy -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeTouchIDSetup -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeSiriSetup -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeActivationLock -bool TRUE
/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeScreenTime -bool TRUE
done
# Checks first to see if the Mac is running 10.7.0 or higher.
# If so, the script checks the existing user folders in /Users
# for the presence of the Library/Preferences directory.
#
# If the directory is not found, it is created and then the
# iCloud, Data & Privacy, Diagnostic, Touch ID, Screentime
# Activation Lock and Siri pop-up settings are set to be disabled.
for USER_HOME in /Users/*
do
USER_UID=`basename "${USER_HOME}"`
if [ ! "${USER_UID}" = "Shared" ]; then
if [ ! -d "${USER_HOME}"/Library/Preferences ]; then
/bin/mkdir -p "${USER_HOME}"/Library/Preferences
/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library
/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
fi
if [ -d "${USER_HOME}"/Library/Preferences ]; then
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant LastSeenBuddyBuildVersion "${sw_build}"
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeePrivacy -bool TRUE
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeTrueTonePrivacy -bool TRUE
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeTouchIDSetup -bool TRUE
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeSiriSetup -bool TRUE
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeActivationLock -bool TRUE
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeScreenTime -bool TRUE
/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant.plist
fi
fi
done
fi