we are currently AD bound but want to go to connect for specifically because of problems with encryption and mobile accounts. That said I do not think there is any thing inherently wrong with binding and besides filevault all other functions seem fine. For full management you will want DEP enrolled regardless though, you can "fool" the device into this status through the re-enroll terminal command with out resetting the device.

Hey BookMac,

I would opt-in for Connect and demobilize. Connect has its quirks that is for sure but the demobilization and removal of local admin privileges is worth it. When migrating your users, the first time logging in and connecting the local accounts this should be the only three-time login event. After that, it will be only two logins at the Connect login screen. I agree two times is too many. I wish Jamf would make the local account password check at an interval and not every time.

One of the major issues I've run into with macs with user accounts that have been demobilized is Filevault, the keychain, and changing the user accounts password. Specifically, the local admin account not having a secure token, instead, the user has the secure token. I'm having to pull these machines back for a fresh OS install just to get FV enabled because the secure token holder can't give the local admin account a token even if promoted to local admin. The local password reset and keychain problems I don't want to think about anymore. It's kind of a mess.

Hey guys. Thank you for your input. We are enrolling jamf for the existing macbooks without jamf connect and slowly let the old devices die out.

Cheers