Question

AD Bind and Sonoma Upgrade

Forum|Forum|1 year ago
February 29, 2024
5 replies
21 views

+10

akehren
New Contributor

I recently had Jamf Pro update my MacBook to 14.3.1 from Ventura. The computer is AD bound and we have the Domain Admins and another group we use set so they should be computer admins. Before I pushed the upgrade my account was listed as "Mobile, Admin" but after the upgrade it just say "Mobile". I logged out and logged in as another account from our admin group and it didn't give that account Admin status either. At this point I suppose my next step would be to try to rebind the Mac to AD and hope that corrects the issue.

Has anyone else seen this happen?

+26

AJPinto
Legendary Contributor
Forum|Forum|1 year ago
February 29, 2024

Has anyone else seen this happen?

Honestly, you will find most of us stopped AD binding years ago. Unfortunately, apple REALLY does not want you AD binding anymore. However, I suggest moving your Admin access check to using local groups rather than AD groups for stability.

Like

+18

scottb
Valued Contributor
Forum|Forum|1 year ago
February 29, 2024

Yeah, AD binding is like imaging...🪦

Like

A

+10

akehren
Author
New Contributor
Forum|Forum|1 year ago
March 1, 2024

I knew that the Jamf community hasn't been fond of AD for some time now. Maybe it's time for us to give Jamf Connect another look. I'd tried hard to avoid using AD. I even managed to get a Mac to use Google for it's directory binding, but I couldn't figure out how to mass deploy it through Jamf or how updating the certificate for it was going to work. It just seemed odd that the system upgrade would only partial break the binding.

When you say, local groups, do you mean local groups on the Mac? I see a bunch of scripts for adding admin access for individual users, but nothing for linking access to group membership in Jamf or assigning access to a group pushed from Jamf.

Like

+16

roiegat
Valued Contributor
Forum|Forum|1 year ago
March 5, 2024

While AD binding isn't ideal...sometimes it's needed. But what we do is create a local user account for the user and then use the SSO configuration profile to connect that local account with AD.

What you can also do if you have accounts that you know should be admin is create a script that checks the user and make sure they are in the admin group. If not, puts them in it.