sysadminctl

• This CLI is not available from Recovery
• Use - to type passwords interactively

addUser

• Create a new user

sysadminctl -addUser myself \
  -admin \ # make the user an admin
  -password - \ # interactively type the user password
  -adminUser root -adminPassword - # name and pass of the admin in charge of creating the user

deleteUser

• Create a new user

sysadminctl -deleteUser myself \
  -adminUser root -adminPassword -

secureTokenStatus

• Secure token is required to be enabled for activating FileVault encryption

sysadminctl -secureTokenStatus myself

secureTokenOn

• Enable secure token for a given user

sysadminctl -secureTokenOn myself \
  -password - \
  -adminUser root -adminPassword -

secureTokenOff

• At least one user must have the secure token at a time (it may be the root user)

sysadminctl -secureTokenOff myself \
  -password - \
  -adminUser root -adminPassword -