Options for setting up a local administrator account with MDM for Apple devices
You can configure a local administrator account on Mac computers using mobile device management (MDM) and Apple School Manager or Apple Business Manager. You can also choose whether the account can be viewed in the Users & Groups pane of System Preferences. You can also change the password of that administrator without physical access to the Mac. When the account is configured in your MDM solution, the user proceeds through the account setup portion of the macOS Setup Assistant. Mac account setup options are as follows:
Create an administrator account: The user creates an administrator account on the Mac.
Create a standard account: The user creates a standard account on the Mac. You must also create a managed administrator account.
No option to create an account: The user doesn’t create any account using Setup Assistant. You must also create a managed administrator account. The user logs in using a network account or another account created outside of Setup Assistant.
The full name or user name for the default account (macOS 10.15): Used to fill the local account’s full name or user name in Setup Assistant when creating the initial administrator account. The user can override these values if they wish.
Lock the default account’s full name or user name (macOS 10.15): The local account are created using the full name or user name provided by the MDM solution. The user can’t override the values.
If you create a managed administrator account, you can hide that account in the Users & Groups pane of System Preferences so that users of a Mac don’t interfere with the managed administrator account.
Note: Unlike passwords for regular administrator accounts, passwords for managed administrator accounts can be changed remotely using your MDM solution.