By default, Mac devices enrolled via Intune ADE, the default user account gets admin privilege due to this reason, user management is not easy. This post covers how to mitigate this issue. Intune provides a way to run shell scripts and collect logs from mac devices easily.
Device Join Type: Azure AD Joined Workplace joined
MDM: Microsoft Intune
Enrollment Type: Automatic Device Enrollment
Navigate to Intune portal, Devices –> macOS—> Script this section allows you to run scripts and collect logs. Interestingly, this script can be used as a part of enrollment process so that post enrollment the default user is added to a standard user group and at the same time admin account is also created. after script is uploaded to Intune, it is recommended to use user group instead device group due to the time taken to take effect.
#!/bin/bash # Search for any existing administrator's account present in the system SearchAdmin =$(sudo dscl . list /Users | egrep -v "^_" | egrep -w "administrator") if [[ $SearchAdmin == "administrator" ]]; then echo "the username $SearchAdmin already exists" else echo "User does not exist" # creates admin account with admin privilege sudo /usr/sbin/sysadminctl -addUser administrator -fullName "administrator" -UID=administrator -password '*********' fi # Here looping every user using azure tenant name excluding administrator user account to change the user privilege from admin to standard. StandardUser=$(sudo dscl . list /Users | grep -e 'administrator') if [[ $StandardUser == *contoso.com* ]]; then echo "user $StandardUser exist in the system" sudo /usr/sbin/dseditgroup -o edit -d $StandardUser -t user admin else echo "No Match found" fi
The results can be collected from Intune portal.
There are plenty of other ways to fix this issue like Adminbyrequest Application with a proper approval flow and much more.