Comprehensive rules for secure, automated user & group management on macOS using shell scripting and MDM tooling.
Stop manually configuring user accounts across your Mac fleet. These Cursor Rules deliver battle-tested automation patterns that transform macOS user and group management from a time-consuming administrative burden into a secure, scalable system that runs itself.
Managing macOS users at scale creates cascading operational headaches:
These issues compound as your Mac deployment grows, turning user management into a full-time operational nightmare.
These Cursor Rules provide enterprise-grade macOS user management patterns that eliminate manual processes while maintaining strict security controls. Built from real-world deployments managing thousands of Mac endpoints, they handle the complexity of modern identity providers, MDM integration, and compliance requirements.
What You Get:
Eliminate 95% of Manual User Management Tasks Transform a 30-minute manual user creation process into a 2-minute automated deployment. Scripts handle user creation, group assignment, FileVault enablement, and audit logging in a single operation.
Zero-Configuration FileVault Deployment Automatically enable SecureToken for new users and escrow recovery keys to your MDM without manual intervention. No more devices with broken FileVault enrollment.
Bulletproof Compliance Tracking Every user account change generates structured logs with timestamps, admin identity, and change details. Compliance audits become data queries instead of archaeological expeditions.
Scale-Ready Architecture Parallel user creation processes 50+ accounts simultaneously. Cache identity provider lookups to eliminate API rate limiting. Handle network failures gracefully with automatic retries.
# Single command creates user, assigns groups, enables FileVault
./create_user.sh --username "jdoe" --department "engineering" --manager "alice.smith"
# Automatically handles:
# - IdP lookup for full name and employee ID
# - SecureToken enablement for FileVault
# - Group assignment based on department
# - Recovery key escrow to MDM
# - Audit log generation
# Process entire department role changes
cat engineering_to_devops.txt | xargs -P4 -I{} ./update_user_groups.sh --user {} --add devops --remove engineers
# Parallel processing with automatic rollback on failures
# Complete audit trail for compliance reviews
# Jamf Pro Smart Group creation based on user attributes
./sync_jamf_groups.sh --attribute "Department" --value "Security" --policy "security-baseline"
# Automatically scopes security policies to the right users
# Eliminates manual Smart Group maintenance
# Clone the rules to your Cursor configuration
git clone [rules-repo] ~/.cursor-rules/macos-user-management
# Install in Cursor settings
cp macos-user-management.cursorrules ~/.cursor-rules/
# Create script directory structure
mkdir -p /usr/local/scripts/{bin,lib,logs}
# Set up logging configuration
./setup_logging.sh --syslog-server "logs.company.com" --local-retention 90
# Set up IdP connection (Azure AD example)
./configure_idp.sh --provider "azuread" --tenant "company.onmicrosoft.com"
# Test connectivity
./test_idp_connection.sh
# Create user with full automation
sudo ./create_user.sh --username "testuser" --department "it" --admin false
# Verify SecureToken and FileVault status
./audit_user.sh --username "testuser"
Development Velocity: Ship user management scripts in hours instead of weeks. The rules handle macOS-specific edge cases, MDM integration patterns, and security requirements automatically.
Operational Efficiency: Reduce new hire onboarding time from 2 hours to 10 minutes. Eliminate 90% of user management tickets through self-service automation.
Security Posture: Zero manual FileVault configuration errors. Complete audit trails for every account change. Automatic compliance with password policies and two-factor requirements.
Scale Readiness: Process 100+ user accounts simultaneously without overwhelming your identity provider or MDM server. Graceful handling of network failures and API rate limits.
Error Reduction: Eliminate human error in user creation through validated input parameters, automatic rollback on failures, and comprehensive pre-flight checks.
The rules transform macOS user management from an operational bottleneck into a competitive advantage, giving you the automation infrastructure that enterprise Mac deployments demand.
You are an expert in macOS account administration, Bash/zsh scripting, sysadminctl, dscl, Apple Business Manager, Jamf Pro, and Declarative Device Management.
Key Principles
- Security first: assume devices are mobile and at risk; principle of least privilege everywhere.
- Automate everything that repeats; never create users manually at scale.
- Prefer declarative, idempotent scripts and MDM profiles; every run must converge to the same state.
- Log every change (syslog + JSON file); changes without an audit trail are defects.
- Fail loudly and early; abort on first error rather than mutating half-configured accounts.
- Human-readable naming: users in lowercase, groups in lowercase plural (e.g., "designers").
- All credentials flow through the system keychain or an IdP token exchange—never hard-code.
Bash / zsh
- Start every script with:
```bash
#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'
```
- Wrap CLI calls in functions; expose one public `main()`.
- Use `sysadminctl` for user CRUD on macOS 10.13+; fall back to `dscl` only for attributes `sysadminctl` cannot touch.
- Always pass full paths to binaries: `/usr/sbin/sysadminctl`, `/usr/bin/dscl`.
- Exit codes: 0 success, 10 "user exists", 20 "group exists", >100 unexpected.
- Parse JSON with `plutil -convert json -o -` for plist output; avoid `grep` brittle parsing.
- Never store passwords in plain text; read from secure prompt or $PPPC_PAYLOAD via MDM.
- Comment blocks with `##` so `shellcheck` ignores rule SC1117.
- File structure per script directory:
├── create_user.sh
├── delete_user.sh
├── lib/
│ ├── logging.sh
│ └── validation.sh
Error Handling & Validation
- Pre-flight checks at top of every script:
- `[[ $EUID -ne 0 ]] && echo "Run as root" && exit 1`.
- Verify network before IdP look-ups: `ping -q -c1 id.example.com`.
- Validate parameters with regex: `[[ $username =~ ^[a-z][a-z0-9_-]{2,31}$ ]]`.
- Use `trap 'error_handler $LINENO' ERR INT` to capture stack location.
- FileVault:
- After user creation, ensure they are SecureToken-enabled: `sysadminctl -secureTokenStatus "$username"`.
- Add recovery key escrow with MDM `InstitutionalRecoveryKey` payload.
- Early returns pattern:
```bash
user_exists() { dscl . -read "/Users/$1" &>/dev/null; }
if user_exists "$username"; then
log_warn "User $username already exists"; exit 10;
fi
```
- Happy path last: only run modifications after all validation passes.
Framework-Specific Rules (Jamf Pro / Apple Business Manager / Declarative Device Management)
- Sync Managed Apple IDs from ABM; never create local accounts that duplicate cloud identities.
- Use Jamf Smart Groups:
- Criteria: `extensionAttribute[Department]` equals `Engineering` → scope shell-admin policy.
- Policies:
- PreStage enrollment ➔ install `create_user.sh` with parameters from Jamf API.
- Post-install reboot: defer until FileVault escrow verified.
- Declarative payload example (user & group):
```json
{
"type":"com.apple.configuration.usergroup",
"identifier":"designers",
"members":["uid:1001", "uid:1004"],
"state":"present"
}
```
- UMAD for migration: auto-enroll legacy devices, then run a once-per-computer Jamf policy to remove admin rights from local standard users.
Additional Sections
Testing
- Create dedicated "qa" standard account; never test with admin.
- Staging MDM server mirrors production scopes; promote profiles only after compliance score ≥ 95 %.
- Unit-test library functions with `bats-core`; mock `sysadminctl` using a function override.
Performance
- Batch operations: pass newline-delimited usernames to `xargs -P4 create_user.sh` for parallel creation.
- Cache IdP look-ups for 10 min in `/var/tmp/idp_cache.json`.
Security
- Enforce 12-char complex passwords, max age 90 days, using Configuration Profile `com.apple.mobiledevice.passwordpolicy`.
- Require two-factor via Apple ID or IdP.
- Disable guest user: `defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false`.
Compliance & Audit
- Store a signed hash of each script in `/usr/local/libexec/scripts/manifest.json`; validate at runtime.
- Push logs to a SIEM via syslog TCP 6514 with TLS.
Common Pitfalls
- Forgetting to enable SecureToken blocks FileVault login.
- Mixing `dscl` and `sysadminctl` UID allocation causes collisions—always reserve UID range 501–999 for onboarding.
- Running scripts from user context—always `sudo launchctl bootstrap system` for LaunchDaemons.