Jamf Nation Community

Historically there have been several ways to hide a user (as mm2270 describes); uid<500 (was originally enough, later it required Hide500Users to be added into loginwindow.plist), the HiddenUsersList and more.
Recently the IsHidden attribute is introduced, maybe the older do no longer work?
See Apple's kbase HT203998
Your command should not use /var/hiddenuser but /Users/hiddenuser since it refers to DirectoryServices structure.
And as a side note: Per, the author or CreateUserPkg has offered the project for adoption, so do not expect updates from Per soon.

I use DeployStudio, and their script is usable to make your own; it is supposed to work on Sierra (not tested)
On systems with DS installed : find it here:

/Applications/Utilities/DeployStudio Admin.app/Contents/Plugins/DSConfigureTask.bundle/Contents/Resources/Scripts/ds_add_local_users/ds_add_local_user.sh

and copied here for reference:

# disable history characters
histchars=

SCRIPT_NAME=`basename "${0}"`

echo "${SCRIPT_NAME} - v1.18 ("`date`")"

# Usage: ${SCRIPT_NAME} $1 $2 $3 [$4 $5 $6 $7]
# $1 -> realname
# $2 -> shortname
# $3 -> password
# $4 -> admin (YES/NO)
# $5 -> hidden (YES/NO)
# $6 -> localization (English, French, etc...)
# $7 -> uidNumber

#
# create the default user
#
USER_REALNAME=${1}
USER_SHORTNAME=${2}
USER_PASSWORD=${3}
USER_ADMIN=${4}
USER_HIDDEN=${5}
USER_LOCALE=${6}
USER_UID=${7}

if [ "_YES" == "_${USER_HIDDEN}" ]
then
  USER_HOME="/var/.home/${USER_SHORTNAME}"
  if [ ! -d "/var/.home" ]
  then
    mkdir "/var/.home"
    chown root:admin "/var/.home"
    chmod 775 "/var/.home"
  fi
else
  USER_HOME="/Users/${USER_SHORTNAME}"
fi

if [ -n "${USER_SHORTNAME}" ]
then
  SAME_UID="YES"
  if [ -n "${USER_UID}" ]
  then
    SAME_UID=`dscl /Local/Default -list /Users uid | awk '{ print "+"$2"+" }' | grep "+${USER_UID}+"`
  fi
  if [ -n "${SAME_UID}" ]
  then
    USER_UID=`dscl /Local/Default -list /Users uid | awk '{ print $2 }' | sort -n | tail -n 1`
    USER_UID=`expr ${USER_UID} + 1`
    if [ ${USER_UID} -lt 501 ]
    then
      USER_UID=501
    fi
  fi

  echo "  Creating user '${USER_SHORTNAME}' with uid=${USER_UID} !" 2>&1

  dscl /Local/Default -delete users/${USER_SHORTNAME} >/dev/null 2>&1
  dscl /Local/Default -create users/${USER_SHORTNAME}

  dscl /Local/Default -create users/${USER_SHORTNAME} uid           "${USER_UID}"
  dscl /Local/Default -create users/${USER_SHORTNAME} gid           20
  dscl /Local/Default -create users/${USER_SHORTNAME} GeneratedUID  `/usr/bin/uuidgen`
  dscl /Local/Default -create users/${USER_SHORTNAME} home          "${USER_HOME}"
  dscl /Local/Default -create users/${USER_SHORTNAME} shell         "/bin/bash"

  dscl /Local/Default -create users/${USER_SHORTNAME} _writers_UserCertificate "${USER_SHORTNAME}"
  dscl /Local/Default -create users/${USER_SHORTNAME} _writers_hint            "${USER_SHORTNAME}"
  dscl /Local/Default -create users/${USER_SHORTNAME} _writers_jpegphoto       "${USER_SHORTNAME}"
  dscl /Local/Default -create users/${USER_SHORTNAME} _writers_passwd          "${USER_SHORTNAME}"
  dscl /Local/Default -create users/${USER_SHORTNAME} _writers_picture         "${USER_SHORTNAME}"
  dscl /Local/Default -create users/${USER_SHORTNAME} _writers_realname        "${USER_SHORTNAME}"

  if [ -e "/Library/User Pictures/Fun/Gingerbread Man.tif" ]
  then
    dscl /Local/Default -create users/${USER_SHORTNAME} picture "/Library/User Pictures/Fun/Gingerbread Man.tif"
  else
    if [ -e "/Library/User Pictures/Animals/Butterfly.tif" ]
    then
      dscl /Local/Default -create users/${USER_SHORTNAME} picture "/Library/User Pictures/Animals/Butterfly.tif"
    fi
  fi

  if [ -n "${USER_REALNAME}" ]
  then 
    dscl /Local/Default -create users/${USER_SHORTNAME} realname "${USER_REALNAME}"
  else
    dscl /Local/Default -create users/${USER_SHORTNAME} realname "${USER_SHORTNAME}"
  fi

  if [ -n "${USER_PASSWORD}" ]
  then 
    dscl /Local/Default -passwd /Users/${USER_SHORTNAME} "${USER_PASSWORD}"
  else
    dscl /Local/Default -passwd /Users/${USER_SHORTNAME} ""
  fi  

  if [ "_YES" = "_${USER_ADMIN}" ]
  then 
    echo "  Setting admin properties" 2>&1
    dscl /Local/Default -append groups/admin            users   "${USER_SHORTNAME}"
    # Enable all ARD privileges
    dscl /Local/Default -create users/${USER_SHORTNAME} naprivs -1073741569
  fi

  echo "  Creating local home directory" 2>&1
  HOMES_ROOT=`dirname "${USER_HOME}"`
  if [ -d  "${HOMES_ROOT}" ] && [ -d "/System/Library/User Template" ]
  then
    if [ -d "/System/Library/User Template/${USER_LOCALE}.lproj" ]
    then
      ditto --rsrc "/System/Library/User Template/${USER_LOCALE}.lproj" "${USER_HOME}"
    else
      ditto --rsrc "/System/Library/User Template/English.lproj" "${USER_HOME}"
    fi
  fi
  chown -R ${USER_UID}:20 "${USER_HOME}"

  if [ "_YES" == "_${USER_HIDDEN}" ]
  then
    defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add "${USER_SHORTNAME}"
    chmod 644 /Library/Preferences/com.apple.loginwindow.plist
    chown root:admin /Library/Preferences/com.apple.loginwindow.plist
  fi
fi

FWIW - the project is no longer being maintained.
But you can adopt it if you like.

@dpertschi I saw that the other day before I started playing with 10.12. I had my fingers crossed enough hadn't changed from 10.11 to 10.12 that it wouldn't be an issue. I may go back to the jamf binary to do it all for me.

@mm2270 It appears it's not getting set in the install, as my output is this.

MacBook-Air:~ admin$ defaults read /Library/Preferences/com.apple.loginwindow.plist HiddenUsersList
2017-01-06 12:32:37.532 defaults[659:12308] 
The domain/default pair of (/Library/Preferences/com.apple.loginwindow.plist, HiddenUsersList) does not exist
MacBook-Air:~ admin$ defaults read /Library/Preferences/com.apple.loginwindow.plist 
{
    GuestEnabled = 0;
    OptimizerLastRunForBuild = 33687680;
    OptimizerLastRunForSystem = 168559104;
    lastUser = loggedIn;
    lastUserName = admin;
}
MacBook-Air:~ admin$

Given that everything for the user is there, I will just test out whether it seems easier to run a first run script to hide the existing user, or remove it completely from my image and let JAMF create it.

And comparing it to a managed workstation that was updated from 10.11 to 10.12, that looks like the key is missing.

$ defaults read /Library/Preferences/com.apple.loginwindow.plist HiddenUsersList
2017-01-06 16:21:10.891 defaults[51336:1098983] 
The domain/default pair of (/Library/Preferences/com.apple.loginwindow.plist, HiddenUsersList) does not exist
$ defaults read /Library/Preferences/com.apple.loginwindow.plist Hide500Users
1

@easyedc Yeah, its kind of a toss up. I mean, the point of using something like CreateUserPkg in the first place would be to have a single pkg install that can create that user for you and hide it, if so desired. If you need to start adding post scripts to actually hide the account, it might just be easier to move to the jamf binary and some scripts to create the account and skip the package route.

I wasn't aware if was put up for adoption. Hopefully someone will pick up the reins for CreateUserPkg and make it work on current and future OSes. It was useful while it lasted.

@mm2270 You're definitely correct in your statement. Given that the user is a management account for our network access control (Forescout agent) it would be able to be installed post JAMF setup as long as we build on an approved build segment. The only advantage in the past was that if a workstation managed to find its way to our floor without being properly configured, if it was my image, it'd work. If it was something someone went out and bought, they'd get blocked.

defaults write /Library/Preferences/com.apple.loginwindow.plist Hide500Users 1

Did solve it. I may, for the time being, just write out a policy to execute that once and not worry about it.