@mcantwell I was trying to use this with a remote user today and it was failing for me at that same section. It seems like a good idea to check connection with AD, but when we ran the terminal commands they worked. So I think I may do some revising to that section of the script. I'll post an update here. Glad you got it working!

@strayer Have you had any issue with it caching the user password? I had to do a separate Terminal login as the user before it would let them login from the macOS security screen.

I had to do a separate Terminal login as the user before it would let them login from the macOS security screen.

As an update, I got this to work by also passing the user password when creating the account:
createmobileaccount -a "$adminUser" -U "$adminPass" -n "$userToAdd" -p "$userPass"

Thank you @strayer ,@tjosey @hansjoerg.watzl and @mcantwell for your collaboration on this. I'd been beating my head on my desk trying to get some new macs setup for new hires remotely. I'd found online and tried the @rtrouton script and Patrick Gallagher scripts unsuccessfully and I found this just a little late, but know I will be needing it again soon!

@strayer I'm a complete and total rookie when it comes to Mac - That being said, I don't know two big things (well, I don't know a lot more but that's a different story) One, I need to know which items I'm editing in the script that you so kindly provided, Example $localAdminUser am I modifying anything that has a $ preceding it? Sorry, I do not want to mess this up as I bound the Mac to the domain and I have a cmd line we use to fix FileVault issues and I used pieces of that to get my user directory created for my mobile account but never cached it and in reading was probably because I didn't have the single quotes around my complex password. So, super long story short, I have a local account that I need to migrate to mobile/AD and your script should work for me. I just don't know what I need to modify. Two, how am I saving this script and running it? what is the language as when I attempt to save it, it's asking me what the language is and I have no idea? I thought Shell Script but it doesn't allow me to add the .command extension so I'm obviously doing it wrong. I know it's been months since you posted but this could ultimately save our first response team some serious time in getting new devices to remote users. I appreciate any help from anyone and I thank whoever it may be in advance, truly.

@kuzama
since posting it here I set up my github and this is the version of the script that I'm using in Production. The production version does expect filevault encryption to be turned on. (it will also call a policy with the sudo jamf policy -trigger catalina_fv if FV is not turned on.)
it also expects the computer to be bound and runs a policy with sudo jamf policy -trigger rebind to rebind the computer if it is not bound.

https://github.com/theadamcraig/jamf-scripts/blob/master/remote_AD_user_creation.sh

either version of the script only expects the local admin's username and password to be passed as variables $4 and $5 in Jamf (see screenshot). You don't need to edit anything in the script itself (unless you aren't using filevault)

You want to save it with the .sh command. .command files are a different thing that I've only used once or twice and not very well, but Jamf policies will be using it as a shell script.

in shell scripting language the $ just indicates that something is a variable. So at the top of the script when it says

adminUser="$4"
adminPass="$5"

it is defining those variables from the jamf policy screenshot.

Hope that is a good explanation.

@mcantwell Thanks for the update. I was able to create an account with a standard one word password, however if an account has a password with spaces, say the password is "Football is my #1 Sport" it always comes back with authentication failed error. using the example above, can you please let me know what the command would be?

Update: I had the account added before seeing your post, so once I removed the account then added it again with the password, it worked like a charm.

Thanks
Thanks in advance

Hi
I'm trying to work through the script without filevault.
I copy and pasted the one from @strayer's github and created a self service policy.
I got this error when running the script:

An error occurred while running the policy "Add Remote AD User" on the computer "HLC1471".
Actions from policy log:
[STEP 1 of 5]
Executing Policy Add Remote AD User
[STEP 2 of 5]
Running script Local AD User Creation...
Script exit code: 1
Script result: admin user is not SecureToken enabled.
admin user is not SecureToken enabled.
Checking for policies triggered by "rebind" for user "support"...
No policies were found for the "rebind" trigger.
* admin user is not SecureToken enabled.
AD User failed to add.
Verify GlobalProtect is Connected.
Recommend restarting the computer and trying this install again.
If issues continue run 'Rebind to Domain' from Self Service and then try install again.
button returned:OK

I did some searching and am really confused about SecureToken and how it pertains to this process if I don't want filevault.
Thanks for any assistance.

@llitz123
What i found from having to do this for the first time this week is that the following:

-a username : opt SecureToken enabled admin user name
-U password : opt SecureToken enabled admin user password.
-D : don't prompt for SecureToken enabled admin information

So it seems like you may need to replace both -a -U with just -D if the local admin is not a secure tokenholder

@strayer First, thanks for all the work you've done on this. It's fantastic. Second, I'm trying to follow along and want to make sure I understand what is happening and what needs to be done by IT prior to giving this to an end user.

What information is needed about the user in order to use your script? I assume the username is needed. What I don't understand is if your script is creating a temp password for the user, or, if it's going to AD and pulling the users current password and caching it on the Mac? This isn't creating a user account in AD is it?

If you can explain that part, that would be helpful. My company will not allow us to ask the user for their password - nor would I want to for security reasons. However, I haven't been able to find a way to create a mobile account for them without them being present to login to the device first.

Thank you.

I've tried taking another look at this and I'm still running into issues trying to get it to work. I'm getting an error saying to verify GlobalProtect. I even tried to do the manual process of running the following commands in terminal:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a $adminUsername -U $adminPassword -n $USERNAME

and

dscacheutil -q user -a name $USERNAME

It created the mobile account on the computer, however, the second command didn't appear to pull down the password for that AD account to the device since I couldn't login with the password for that account. Not sure what I'm missing here.

@bcbackes

We are using a version of the above script by strayer. The quick difference I see is that we are using the AD user's Credentials instead of the admin credentials. I can confirm this has been working for the past 3 months. we hardcode the admin creds in $4 and $5. We run this over VPN after AD Binding

#!/bin/sh



adminUser="$4"

adminPass="$5"

DATE=`date`





echo "Running cache AD User  Account"







ADuser=$(osascript -e 'set T to text returned of (display dialog "Enter AD User Name:" buttons {"Cancel", "OK"} default button "OK" default answer "")')



#Prompts User for Password

#-----------------------------------#

read -r -d '' applescriptCode <<'EOF'

    set dialogText to text returned of (display dialog "Enter your Current AD password to continue" default answer "" with icon stop buttons {"OK"} default button 1 with hidden answer)

    return dialogText

EOF



ADuserPWD=$(osascript -e "$applescriptCode");



echo "$ADuser"





#Do not use verbose mode as it shows users password in log

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount  -D  -n $ADuser -p $ADuserPWD 





## this should query AD to cache the user including the password

dscacheutil -q user -a name "$ADuser"





#Lets Set an encrypted on date as a back up to cache account



sudo -H -u $ADuser  touch /Users/$ADuser/Documents/image.txt

sudo -H -u $ADuser  echo "This Mac was Filevaulted on $DATE" > /Users/$ADuser/Documents/image.txt





# create the plist file:

/bin/echo '<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Username</key>

<string>'$adminUser'</string>

<key>Password</key>

<string>'$adminPass'</string>

<key>AdditionalUsers</key>

<array>

    <dict>

        <key>Username</key>

        <string>'$ADuser'</string>

        <key>Password</key>

        <string>'$ADuserPWD'</string>

    </dict>

</array>

<key>UseRecoveryKey</key>

<true/>

<key>ShowRecoveryKey</key>

<false/>

</dict>

</plist>' > /tmp/fvenable.plist  ### you can place this file anywhere just adjust the fdesetup line below



#now enable FileVault

/usr/bin/sudo fdesetup enable -inputplist < /tmp/fvenable.plist



rm -rf /tmp/fvenable.plist







diskutil apfs updatePreboot  /





/usr/bin/dscl .  -change /Users/onetimeuselocaluseraccountnamehere UserShell /bin/zsh /sbin/nologin



 dialog="$ADuser account has been added to Filevault, Please reboot to enable Filevault"

    echo "$dialog"

    cmd="Tell app "System Events" to display dialog "$dialog""

    /usr/bin/osascript -e "$cmd"

@efil4xiN What I don't understand is if you have the AD users credentials already, you can login as that user and create their account right then and their. In my company, we are not permitted to share credentials, so, this poses a problem for me. I was hoping the script somehow queried AD and pulled the users password in automatically, but, that doesn't seem to be the case here. Or, I'm missing something....

Would it not work to run the Equivalent to "GPupdate /Force" on a Win Machine - which would be "mcxrefresh"

https://www.jamf.com/jamf-nation/discussions/9352/ot-mac-equivalent-of-gpoupdate-force

Since the Domain User is known in the Active Directory but not yet on the Client Computer?!

Because it was noted, that a VPN Connection is being used - updating the approved, known Users should make this work, no?

@bcbackes
My bad, I forgot to state that we also do not share user information. The Mac is shipped to the user with a one time use standard account. They login connect to VPN and add their AD account to Mac.

@efil4xiN So, do you have some script that runs to remove that "one time use standard account"? Or, are you saying you are creating a local account with their username, and a dummy password. Then, there's a script to convert it from a local account to a mobile account and then they are prompted to sync their password with AD?

Curious on your workflow. I'm looking into moving to Jamf Cloud. I think once I'm there, then, this will all be a mute point for me. Thanks!

Has anyone ever use the Mac Built-in VPN (VPN Cisco IPSec). Setup Authentication Settings with your ASA Firewall "Share Secret" and Group Name if setup, add Server Address, account Name. I have been using it join computer to domain before installing JAMF while logged on as local admin account. After enrolling to JAMF and installed all our Standard Apps log back in as local admin connect to the Built-in VPN > Logout (using this VPN IPsec stays connected to VPN Network) > Log in to user's domain account.

I can't get this working under Big Sur now. Anyone else? Just stalls out and never launches the dialog. Jamf doesn't even show the policy has having been run.

UPDATE: User error, had old password hardcoded into script. :)

@strayer liked it as expected this command long time finally found it thanks once again.

i can see one thing if mobile user/AD user logged in after a month user AD account password was changed but still, the machine working with old password
is there any chance to check every login and do a reminder to change the password as like?

can help for the script development.

I accomplished this by logging in to a mac, activating the VPN connection, and enabling fast user switching and was able to put my account on a machine offsite. This was on an Apple Silicon, Big Sur Macbook Pro.

Hi All,
We had to update the script because techs were having issues( I adopted it from the previous admin). I took what we could and made a few updates:

sudo -H -u $ADuser touch /Users/$ADuser/Documents/image.txt
sudo -H -u $ADuser echo "This Mac was Filevaulted on $DATE" > /Users/$ADuser/Documents/image.txt

sudo -H will run as the user in the user's workspace, so just a check to make sure the creds are cached ( and you get a file you could query later)

/usr/bin/dscl . -change /Users/onetimeuselocaluseraccountnamehere UserShell /bin/zsh /sbin/nologin

This will lock the standard account used to login and setup the user AD account on reboot

This now working 100%.

Thank you all for posting this, it's amazing. It did create the account, but does not seem to have generated the secure token as expected so the new account can't log in from the FV screen

% sudo sysadminctl -secureTokenStatus <redacted>

Password:

2021-05-21 15:06:02.632 sysadminctl[655:6512] Secure token is DISABLED for user <redacted>

@jwojda

The account enabling Filevault must be a secureToken holder

Rebind option worked and was able to add the users.. thank you so much for your help.

Should this work for none AD syncs? I am performing authentication using an LDAP sync to google. I need mobile or even local accounts created at sign-in to allow my MDM policies to take effect. Should I be able to just copy and paste your TERM line or do I need to make edits?