In reply to jwz.

Seems likely to be a side effect of the way they've restructured everything under the hood to support Signed System Volume.

SSV means that what appears to be a single root FS is actually several APFS volumes in a trenchcoat, all allocating space from a single APFS container.  The main two are the SSV and the user data volume.  System files that don't need to be writable live in the SSV, protected from online tampering by being mounted read-only and offline by cryptographic signatures.

The SSV is mounted at /, and the data volume at /System/Volumes/Data.  Thus, the true path to the user templates is /System/Volumes/Data/Library/User Template. They came up with some kind of overlay scheme which presents individual data volume directories at their place in the filesystem hierarchy, so it's also visible at the traditional /Library/User Template path.

My best guess is that while FileVault is on (meaning full protection is enabled), they decided not to trust the mutable user templates as they're a kind of system file that has to be part of the R/W user data volume, and thus theoretically attackable.

In reply to tfb.

I don't remember it working like that but maybe I wasn't using File Vault back then.

In reply to That Other Smartass Jon.

Perhaps if instead of File Vault encrypting the whole Data volume they had instead put each user's home directory in a separate encrypted disk image

That is exactly how it used to work.

In reply to jon ellis.

If you want the Guest account to be more than just a web browser then you can't turn File Vault back on. The whole point of File Vault is that you need a password in order to decrypt the disk (or at least the Data volume which is where all the user writeable parts are stored), and Guest accounts don't have a password. If Guest accounts could just go ahead and access the disk anyway it would make File Vault pointless.

Perhaps if instead of File Vault encrypting the whole Data volume they had instead put each user's home directory in a separate encrypted disk image, then you could still have a more normal Guest account. But Apple didn't go that route.

In reply to Andre Louis.

then why are you commenting? jesus

In reply to jwz.

Oh wow what the fuck

In reply to TreeSeeker.

Oh I'm still on 14, this was a new Mini for the office staff that came with.

I am holding off "upgrading" from Sequoia to Tahoe as long as possible. Curious your take now that you have.

I went down a rabbit hole using .mobileconfig files with policies to enforce the Guest User setup but didn't have a Tahoe system to experiment on to know if Tahoe changed anything from Sequoia that would break things.

In reply to jwz.

I know. Some people don't

In reply to Arjen Haayman.

We do what we must because we can. Also if I don't then the answer won't be there when I forget and do the search again.

In reply to jwz.

this is soo stackoverflow to post the answer yourself 🤗

In reply to jwz.

So I guess if this is on a machine where file vault matters for other accounts, your plan B is to make a Guest2 user and rsync it back to template from cron.

In reply to jon ellis.

I believe file vault triggers the "I am not a desktop" response.

In reply to jwz.

do you ever get to turn filevault back on, or is it one or the other of guest users and file vault?

Turns out the answer is: turn off file vault; reboot; turn off guest user; reboot again; turn on guest user.

If you don't do all of that, the guest user goes into some horrid, kiosky "I am an iPad instead of a computer" mode.

In reply to Andre Louis.

You must be new here.

In reply to jwz.

I hadn't because:
1. I was upstairs looking at it over the network from a windows machine
and
2. I didn't even know this thing existed until your post today.

In reply to Andre Louis.

Tell me you haven't actually tried it without telling me that you haven't actually tried it.

you have to buy a new Mac for every guest user. Profit.

Just checked my system and there's an alias there that points to /Library/ not /System/Library/, so I guess that's the new location?