I can't add to this thread, other than to confirm that we're experiencing the exact same problems in our environment (AD bound macs, mobile accounts, constant lockouts).
Hopefully Apple will fix this bug soon. It's certainly a show stopper for Sierra upgrades.

Just upgraded my own workstation to prep for Sierra and instant lockout, twice today so far. Going to unbind to survive this week.

Latest update from Apple is that they no longer expect a fix to make it into 10.12.2. So, while we're all free to hope against hope and keep testing beta builds, it seems incredibly unlikely that we'll have a fix until after the new year. I've again emphasized to our TAM and several other contacts within enterprise support that we are halting 100% of our Mac purchases until a fix exists - I'm not going to start the clock on warranties for machines that we can't even use in our environment. I've been assured this has the highest level of internal engineering attention possible, but that doesn't really mean anything when we are over two months into production release of Sierra with a bug that renders the OS completely incompatible with our environment. Apple has suggested that in the mean time we can lift our failed password attempt policies on users who are on Sierra machines but doing so would compromise the integrity of our security - which is an absolute non-starter in a healthcare institution. This is so frustrating...

What is frustrating is the budgetary block for Enterprise Connect. How about a little investment in us, Apple?

The enterprise environment is dominated by Active Directory, everybody knows this. So why yank back the reigns on something that could benefit companies with large fleets of macs existing in an AD environment? You would think they would be begging people to gain any sort of entrenchment or traction in the enterprise environment. Hell, we are the ones that replace computers every 3 years like clockwork.

In the meantime, I enabled 256 bit encryption and no lockouts since my initial setup.

Thanks for keeping us updated @jasonaswell. I agree with you 100%, it is ridiculous and unacceptable that this bug has not been fixed yet. Apple had better get a fix into 10.12.3.

Agree'd @jasonaswell ,we are a medical institution and I'd be driven out of the building as the devil if I suggested excluding a subset of the population from password policy.

I do feel a little bad for the support person on the other end of my enterprise case who has to deal with my daily barrage of "did you fix it now?" ¯_(ツ)_/¯

The Mac Admin community to Apple right now about this bug -> Fix it! Fix it! Fix it!

I wish I could post a message of extreme displeasure in the only language Apple seems to understand these days: EMOJI

I've been following this thread with great interest as we are close to wanting to deploy the upgrade. Our macs are bound to AD and all are mobile accounts. Screen savers are set to lock immediately. So far we have tested a few users with Sierra (including myself) and we have had no lockout issues since Sierra first came out.

We do have a lockout policy in place, but I need to check with my Windows Admin to see what the threshold is because this issue doesn't seem to be affecting us. ¯_(ツ)_/¯

@djdavetrouble

Can you provide more info about "budgetary block for Enterprise Connect." without getting your source in trouble?

C

I'm guessing they are referring to the base cost of EC which costs approximately $5500, some bean counters think that's a high cost for something that should be built into the OS. I don't think the cost is particularly high but I do think it should be built into the OS (or MDM framework). We pay (an arguable premium) for macs, we pay for MDM. Oh BTW pay for this other thing too :)

Pretty sure that has to do with EC being developed and maintained by Professional Services outside of the development teams for OS X/macOS, so there is no official "budget" for EC past what PS allocates inside their group? Thats just speculation from what I have gathered though.

I was thinking something like this

http://macosxautomation.com/about.html

Yeah. That doesn't bode well for the future. He says speak up, but I'm not really sure Apple is listening anymore (unless it is blasting out of Beats)...

Thanks for the updates @jasonaswell and everyone. I've been following this thread for a while now. Like many of you, excluding staff from password policies would be met with a strong no from our InfoSec team and maybe some nerf darts to the head.

I've been running Sierra on my Mac and we've allowed a couple of production users to upgrade but on the basis they disabled 2FA before the upgrade. 2FA isn't required in our environment so thats a blessing for us, but that of course could change any day from the powers above.

@gachowski Yes what @Kaltsas said, I was talking about the fee from Apple.

So EC isn't really an "Apple" app : )

Think of it more of an Apple "Enterprise Support or Professorial Services" app. It's my understanding that the Enterprise Support team wrote it to address a client issue and they want to keep supporting the app and to make sure that everyone is using the app correctly that is why there is a small cost.

C

@jasonaswell

Are you willing to share you case number? I have not opened a ticket yet with Apple and I can "pile on" yours

C

@gachowski Sure thing, my case is 100026962372. I also got a notice today that Apple Enterprise Support opened another case under 100078642515, but it's not clear to me why they did this yet since this case number isn't associated with our account.

Thanks Jason, I have opened a ticket and added you case number. I will keep everyone up to date...

C

Our engineer just called me to talk through my testing workflow and to toss some thoughts back and forth about what we are seeing (myself in our production environment, and them in their test setup). So, I know they are actively working on this, and it sounds like they are definitely tying the threads together between customer cases. I can appreciate all of that and am grateful for the work they are doing. I want to make clear here that everyone that I've directly interacted with from Apple is taking this very seriously. My concern mainly lies with the fact that this has gone on for so long and I wonder whether or not the powers that be at Apple are allocating an adequate amount of resources towards solving this. For the sake of my and everyone else's users, I hope a solution turns up soon.

FYI @gachowski our case number is:

100057936834

Feel free to add it to your case for impact.

We are working to escalate the severity of our case with Apple; hopefully our combined efforts will be sufficient to get some movement, but I am not holding my breath based on @jasonaswell's post:

https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud#responseChild134529

Cheers,

--Andy

I am watching this thread as well as we have a handful of users experiencing the very same issue. It's quite annoying.
The Windows event logs from our DCs don't mention the source/caller computer name of the lockout either, just the account being locked out so we know there's something fishy causing this issue as it would otherwise say what computer/device the lock out originated from.

Hi everyone,

i'm experiencing a problem that seems similar to the one in this thread. Since i enabled "Allow your Apple Watch to unlock your Mac", my AD account goes locked out every hour. Do you think i need to open another case or is better if i add my questions on existing cases?

Yeah i was getting the apple watch thing too. Its a thing.