createmobileaccount workaround for 10.10.3

UPDATE: As of Mac OS X 10.10.4 this issue has been addressed by Apple. The following still applies to 10.10.3 installs. 

Since 10.10.3 was released on April 8, 2015, the Mac admin community has had the privilege of discovering what’s broken with this new OS. We knew about the rootPipe fix but not it’s unintended collateral damage. One piece that was discovered comprimised is the tool “createmobileaccount” found in /System/Library/CoreServices/ This tool can be used to pre-create a home folder and add the user to the local directory service node without having a user log in. It can also dynamically verify that the account attempting to be made actually exists in the directory service prior to creating the account. That can be handy for restoring user data, creating a directory based account prior to sending off-site, or giving a user admin rights prior to deployment. As of 10.10.3 and it’s rootPipe fix, that tool is broken. BUT, there is a workaround.

The workaround to still use createmobileaccount is to do the following*:

  1. Copy the user template to create the home folder: cp -R /System/Library/User\ Template/English.lproj /Users/${newUser}
  2. Change rights on the folder for the new user: chown -R ${newUser}:staff /Users/${newUser}
  3. Run createmobileaccount: /System/Library/CoreServices/ -n ${newUser}

Take note if you implement this workaround in your workflow that the home folder is being created before createmobileaccount is run.  If createmobileaccount fails, the home folder you created will still exists and you may want to clean that up depending on the environment.

*thanks to mm2270’s post on JAMFNation.

