Hi SK,
Thanks for reaching out to us!
We appreciate the time you have taken to provide your valuable feedback. Please find our comments below:
User accounts need to be able to be created in Policy, so a new Mac can be provisioned with accounts already in place (it’s not practical for any kind of standardization to expect a Hexnode admin to create accounts manually for every device that is provisioned).
DEP enrollment enables the IT Admin to configure Admin user accounts for the macOS devices enrolled via DEP. The Admin can specify the username and password of the user account within the DEP profile and deploy them to the devices.
https://www.hexnode.com/mobile-device-management/help/how-to-add-admin-account-on-macos-devices/
Accounts created via Hexnode need an option to be hidden from users in the GUI, so they don’t even know they exist.
Accounts can be made hidden from the Login Window and Users & Groups via the “Hide account from Login Window and Users & Groups” within the Create User account action.
The account that a user creates on setup needs to be able to be restricted to a Standard account upon creation to prevent them from removing the accounts created by Policy and otherwise changing the configuration and/or removing management profiles.
With the “Create local user account” action, you can specify whether the accounts need to be a standard account or an Admin account. With DEP accounts, if you uncheck the option ‘Allow MDM profile removal’ the profiles can be made unremovable from the device end.
Restrictions available for macOS devices within Policies > macOS > Restrictions > Security, facilitate a mechanism to lock down the policy with a password so that the end-user would not be able to remove the configurations pushed without entering the password.
There needs to be an option to change the password of a given account in mass (i.e. if an IT support staff member leaves, knowing the password created, all machines may then be vulnerable to unauthorized access.)
It is not possible to set up a password within the macOS device from the Hexnode portal, however, you can definitely lock the device with a system PIN so that the device would become inaccessible to the user until the system PIN is entered. Make sure that the device is connected to the internet to achieve the same.
https://www.hexnode.com/mobile-device-management/help/lock-a-device-using-hexnode-mdm/
We need to be able to *remove* accounts from within the Hexnode portal.
We cannot directly remove the user accounts from within the Hexnode portal. However, we do support deploying custom scripts where you can develop the scripts that perform the required functionality to remove the user accounts and push them to the macOS device from within the Hexnode portal.
https://www.hexnode.com/mobile-device-management/help/how-to-run-scripts-on-mac-using-hexnode-mdm/
Hope you find that helpful!
Cheers!
Eva Tyler
Hexnode MDM