Skip to main content

Using Automatic Device Account Provisioning with Smart Groups for ADE‑Enrolled macOS Devices

Updated yesterday

Automatic device account provisioning in Swif allows you to automatically create local macOS user accounts when a device is added to a specific device group. This article explains how this works for Apple Business Manager (ABM) / Automated Device Enrollment (ADE) Macs, and what you can and cannot automate during Setup Assistant.

Related guides:

What this feature does

When you enable Automatic Device Account Provisioning on a Smart Device Group:

  • Any device that matches the group’s rules and is added to that group will receive an MDM command from Swif to create a local user account on the Mac.

  • The account is created based on the device account template you configure on the group (username, display name, privileges, password behavior, etc.).

  • This works for:

    • ABM/ADE‑enrolled Macs

    • Non‑ABM Macs already enrolled in Swif

For ABM/ADE devices, this means:

  • You can deploy Macs with most Setup Assistant screens skipped.

  • Once the device enrolls and is automatically added to the Smart Device Group, Swif will automatically create the configured local user account via MDM.

Important limitation for ADE: first local account creation

Based on our validation (see test scenarios below):

  • The macOS local account creation screen during Setup Assistant cannot be skipped for ADE devices.

  • The end user must create the first local user account manually during activation.

  • Swif cannot replace that Apple‑required first account with the Smart Group’s auto‑provisioned account.

In other words:

  • Not possible: Completely blocking the first local account creation screen and only allowing the Swif auto‑provisioned account to exist.

  • Fully supported: Automatically creating an additional local account (for example, a standard user or an admin account) once the device is enrolled and added to the Smart Device Group.

This is a platform limitation: Apple still requires a first user account to be created during Setup Assistant, even when you configure “skip all possible setup assistant screens” in Swif.

How auto account provisioning works on ADE devices

1. Enroll the Mac via ABM / ADE

  1. Add the Mac to Apple Business Manager (ABM) or Apple School Manager.

  2. Assign the device to your Swif MDM server.

  3. Configure your Swif Setup Assistant profile to skip all supported screens (see:

    Manage Setup Assistant for Apple devices | Help Center | Swif.ai

  4. Wipe or out‑of‑box start the Mac and begin Setup Assistant.

What you’ll see during setup:

  • All supported screens configured as “skip” in Swif will be skipped.

  • The local account creation screen will still appear and cannot be skipped.

  • The user must create a first local account here.

2. Create a Smart Device Group with auto‑provision enabled

Follow the general steps in the auto‑provision guide (

Automatic Device Account Provisioning at Device Group | Help Center | Swif.ai

  1. In the Swif web app, go to Devices → Device Groups.

  2. Create a Smart Device Group and define your device rules (e.g., platform = macOS, ownership = Corporate, tags, etc.).

  3. Turn on Automatic Device Account Provisioning.

  4. Configure the Device Account Template, including:

    • Username

    • Display name

    • Admin vs standard privileges

    • Password options

  5. Save the Smart Device Group.

Result:

  • The Smart Device Group is created with auto‑provision enabled.

  • Any device that meets the rules will be automatically added to this group.

3. Device enrolls and is added to the Smart Group

After Setup Assistant completes and the ADE device enrolls in Swif:

  1. The device checks in with Swif.

  2. It is evaluated against your Smart Group rules.

  3. If it matches, it is automatically assigned to the Smart Device Group.

4. Swif sends MDM command to create the local account

Once the device is part of the Smart Device Group with auto‑provision:

  1. Swif sends an Apple MDM command of type CREATE_USER to that device.

  2. The command includes:

    • username

    • displayName

    • password

    • privileges (e.g., Standard or Administrator)

  3. When the device processes this command successfully (HTTP status 200), macOS creates the local user account accordingly.

On the Mac, you will then see the newly created local account as configured in the Smart Device Group.

Behavior summary: what’s supported vs. not supported

Supported

  • ADE Mac shows Setup Assistant; most screens configured as “skip” in Swif are skipped.

  • You can automatically create one or more local accounts after enrollment via Smart Device Group auto‑provision.

  • The auto‑created account is reliably created for devices that:

    • Enroll successfully, and

    • Are added to the matching Smart Device Group.

Not supported / current limitation

  • You cannot skip or bypass the very first local user account creation screen during ADE Setup Assistant.

  • You cannot prevent the end user from creating that first account using only Smart Device Group auto‑provision plus “skip all possible setup assistant screens”.

  • Swif does not delete or replace the first manual account automatically in this flow.

If your security model requires strict control over which accounts exist on the device, you may additionally use:

  • macOS configuration profiles (e.g., restrictions, login window options)

  • Manual or automated cleanup workflows after enrollment (such as converting or removing the initial account through scripts or policies, where appropriate and supported)

Detailed test scenarios and conclusions

These scenarios come from our internal validation of ADE + Smart Device Group auto‑provision (see Jira reference: ST‑6309).

ID

Scenario

Steps

Expected Result / Conclusion

Result

1

ABM device setup with “skip all possible setup assistant screens”

  1. Start ABM out‑of‑box setup on the Mac. 2) Go through activation using the “skip screens” configuration in Swif. 3) Observe which Setup Assistant screens are shown vs skipped.

Most of the Setup Assistant screens that are configurable as skippable in Swif are skipped, except for the local account creation screen.

2

Create Smart Device Group with auto‑provision enabled

  1. In the Swif web app, create a Smart Device Group using any valid device rule(s). 2) Enable Automatic Device Account Provisioning. 3) Save the Smart Group.

Smart Device Group is created successfully with auto provision enabled and an associated account template. (Acceptance criterion #2 satisfied.)

3

ABM setup: user must still create the first local user account during activation

  1. Start ABM device activation with “skip all possible setup assistant screens” configured. 2) Proceed through Setup Assistant until the user account stage. 3) Observe whether a local user creation screen is shown and whether it can be skipped or auto‑bypassed.

A local user creation screen still appears and cannot be skipped. The user must create the first local account during activation. Local user creation is not skipped for ABM devices.

4

After ABM activation, device added to Smart Group with auto‑provision: Swif creates device user account via MDM

  1. Confirm that the ABM device appears in Swif and is automatically assigned to the Smart Device Group. 2) Monitor backend logs for a create mdm user-accounts / CREATE_USER command for this device. 3) Wait for MDM command processing. 4) On the device, verify whether the configured Swif device user account is created as a local account.

When the device is automatically added to the Smart Device Group, Swif successfully triggers the MDM command to create a local user account. Logs show a CREATE_USER command with username, displayName, password, privileges and status 200. On the device, the corresponding local account is created as configured. This confirms: “the feature to get account created automatically once device is enrolled and added to the smart device group” works as expected.

FAQ

Q: Can Swif completely block users from creating any local account during ADE enrollment?
A: No. macOS still requires a first account to be created on the local account creation screen during Setup Assistant. Swif cannot remove or bypass this screen via Smart Device Group auto‑provision.

Q: What’s the main value of auto‑provision on a Smart Group for ADE devices then?
A: It reliably creates your standardized managed account (e.g., a corporate admin or standard user) automatically after enrollment and group assignment, without requiring manual account creation on each device.

Q: Can Swif delete the first manually created account automatically?
A: Not in this documented flow. If you need post‑enrollment cleanup or account transformations, those should be handled by additional policies, scripts, or manual processes, where allowed by your organization’s security policies and macOS capabilities.

Related Articles
Link Your Apple Business Manager (ABM) Account With Swif
Microsoft Automated Device Enrollment (ADE)
Set up Enrollment SSO for Apple devices
Managing Shared iOS/iPadOS Devices in Swif
Automatic Device Account Provisioning at Device Group
Did this answer your question?