Category filter
How to add user account on macOS devices?
The Create User Account remote action allows IT administrators to provision local user accounts on managed macOS devices, enabling secure multi-user access and personalized login environments without physical device access.
Why Remotely Create macOS User Accounts?
Provisioning accounts remotely is essential for organizations with shared hardware. It ensures that each employee has a discrete workspace, maintains data privacy, and adheres to the principle of least privilege by defining specific account roles (Standard vs. Administrator).
- Multi-User Access: Enables multiple employees to share a single Mac with individual settings.
- Security Control: Restricts system modifications by assigning non-administrative roles.
- Automated Onboarding: Streamlines device setup for new hires via the UEM console.
Prerequisites and Constraints
Before executing the account creation command, ensure the following technical requirements are met:
| Requirement | Detail |
|---|---|
| Hexnode Agent | The latest version of the Hexnode Agent app must be installed on the Mac. |
| Password Characters | Avoid special characters: ¡, ™, £, ¢, ∞, §, ¶, •, ª, º, –, ≠, «, ‘, “, æ, …, ÷, ≥, ≤. |
| Secure Token | Required for FileVault, KEXTs, and software updates. |
| FileVault State | Avoid creating accounts on locked devices without an escrowed recovery key. |
Step-by-Step Guide: Creating a macOS User Account
Follow these steps to remotely add a local user to a managed Mac:
- Log in to the Hexnode UEM portal.
- Navigate to Manage > Devices and select the target macOS device.
- Go to Actions > Policies & Accounts > Create User Account.
- Configure the following account set-up options:
Account Configuration Parameters
Field Functional Description Account Type Standard (cannot manage other users) or Administrator (can install apps and change settings). Full Name The user’s complete name (supports wildcards). Account Name Generated automatically from Full Name; used for the Home Folder name. Password The login credential for the new account (supports wildcards). Password Hint Displayed after three incorrect attempts or by clicking the “?” icon. Aliases Shorthand usernames (e.g., “HB” for “Henrick Bartholomew”) for login. Hide Account from Login Window and Users & Groups If enabled, removes the user from the login window and Users & Groups pane. Grant Secure Token (Recommended)
This option is enabled by default to allow the user to interact with FileVault-encrypted disks.
- Administrator Username: Enter the username of an existing Secure Token-enabled admin.
- Administrator Password: Enter the corresponding password.
- Click Create.
Troubleshooting Guides
| Problem | Resolution |
|---|---|
| Account creation failure (Incorrect Credentials) | Ensure the Administrator Username and Password provided under Grant Secure Token match an existing account that already holds a Secure Token. |
| New account is invisible/non-functional | This often occurs if FileVault is enabled but a Secure Token was not granted. Re-run the action with valid admin credentials under the Grant Secure Token section. |
| Password rejected by OS | Verify that no restricted special characters (e.g., ™, £, ∞) were used in the password field. |
| User cannot perform software updates | The account likely lacks a Secure Token. Verify the token status in the portal or recreate the account with token access enabled. |
Frequently Asked Questions (FAQs)
What is the difference between an Administrator and a Standard account?
An Administrator has full privileges to create users, change system settings, and install software. A Standard user can only modify their own settings and cannot manage other users.
Can wildcards be used when defining the Full Name or Password?
Yes. The Create User Account dialog supports all Hexnode wildcards for the Full Name, Account Name, Password, and Password Hint fields.
Why is a Secure Token necessary?
On macOS, a Secure Token is required for a user to be able to unlock a FileVault-encrypted disk, approve Kernel Extensions (KEXTs), and perform certain software updates.
Can a maintenance account be hidden from the login screen?
Yes. By checking the option Hide account from Login Window and Users & Groups, the account will remain functional for remote tasks but will not be visible to local users.
