I have an AppleCare enterprise case open for this, but just curious if anyone here is experiencing the same thing:
When you are logged into a mobile account on an AD bound Mac and go to setup iCloud, the currently logged in network account will get locked out as soon as they attempt to provide a password when prompted to provide an admin password to complete the iCloud setup. The iCloud setup will "fail" but then the services seem to work anyway, but then if you unlock the network account it will lock again shortly after that as long as you stay signed into iCloud.
Been seeing this behavior for a few weeks, but wanted to wait until public release to discuss it here. Behavior has persisted through dev preview 8, and both GM builds (the second of which is the same as the final public build released today).
I too can confirm that 10.12.3 beta seems to have fixed the account lockout issues.
10.12.3 seems to fix the issue in my shop too!
10.12.3b1 appears to have fixed this in our environment as well! w00t w00t!
I just want to pile on with the confirmations. I installed 12.3 Beta 1 yesterday afternoon and ever since I have failedLoginCount has displayed zero. I dump it every minute to a log file. Looks good.
Hopefully we won't have to wait too long for tis update to go live.
Does any know where I can get 10.12.3 beta? Two of my users are having the same issues. Thanks.
You need to have a registered developer account or be in the AppleSeed program.
@sjit I would not apply beta builds to general population users... for IT eyes only!
Pretty sure sure Apple's NDA prohibits non participants from installing the Beta. However Apple Enterprise have blessed applying a Beta build on an effected user, for troubleshooting purposes. The caveat was to clone effected computer so it isn't a production/business use computer.
So it looks like even after I signed out of icloud services, one of my users still keep on getting locked out. I do noticed imessage is still signed on even after I signed out of icloud. Should I sign out of that as well? Other than this, I really get figure out what is triggering the lock out.
Also ran 10.12.3 beta. It is working. No bad password counts. Can't wait for the update. :-)
When is this update coming out?
@jalcorn most of us with open cases have been told we will probably see the update in January, but even with that I've been told that's not a guarantee. I imagine (this is pure speculation based on past experiences, not inside knowledge, so I could be entirely wrong) that we'll see at least 1 or 2 more beta builds before a GM public release of 10.12.3.
While we wait for a public 10.12.3 release, has anyone found an effective workaround for this problem? I've tried the "Do not require Kerberos preauthentication" setting on AD accounts without luck.
Thanks to everyone who has contributed to this thread, to help work through a frustrating issue!
Honestly I just created an "Un-bind" item in Self Service and am having users unbind until the issue is resolved. No AD connectivity, no lock outs. There is an existing "AD Re-Bind" option so they can hop back on at the drop of a hat if needed for any purpose.
How did you create the "un-bind"?
#!/bin/sh
dsconfigad -force -remove -u notarealuser -p notarealpassword
We created a fine-grained password policy for users in an AD security group that raises the lockout limit to 15.
A little light at the end of the tunnel?
As of 01/13/2017 - 10.12.3 will be available to users "in the coming weeks" - Consumer Reports
This update will also address the 2016 macbook pro battery issues.
Hold your breath a little longer !
@hkabik could you provide your script on "AD Re-Bind" that you have in self service?
thank you in advance!
You could use the built in bind function of the JSS for the policy but I do use a script (altered to remove private info, if you're unfamiliar the first half of the script is providing the username and password of the bind account with encrypted strings):
#!/bin/sh
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
USERNAME=$(DecryptString $4 'numberstring' 'numberstring')
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
PASS=$(DecryptString $5 'numberstring' 'numberstring')
dsconfigad -f -add DOMAIN.COMPANY.local -username $USERNAME -password $PASS -computer $(scutil --get ComputerName) -mobile enable -mobileconfirm disable -useuncpath disable -protocol smb -groups "domain admins,enterprise admins,DOMAINCOMPANY IT Workstation Admins" -alldomains disable
dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"
WE DID IT! Finally! I can't believe they actually included details about this bug in the release notes; I thought for sure the issue would fall under the "improves the stability..." umbrella. Thanks to everyone who opened a case and helped bring attention to it!
https://support.apple.com/en-us/HT207462
@dgreening
Any link to the combo update?
I just confirmed that the AD account lockouts caused by putting the computer to sleep and waking up have stopped after installing 10.12.3. YAY!
I've become so jaded over this mess I'm skeptical! lol
but I'm glad Apple finally addressed this debacle...