Help

Demobilze user accounts from LDAP (FoxPass)

FrogOnABike
New Contributor II

Posted on ‎02-09-2022 09:19 AM

So I'm just starting out with rolling out Jamf Connect (connecting to OneLogin as IDP) in our org.

At present users are logging into their Macs via LDAP which is linked to FoxPass in the backend. This creates their accounts as "mobile" as I'd hoped to be able to use the demobilize method to convert these to local accounts but it's so far been failing when run as per the docs.

Looking in the log file located here:

/private/tmp/jamf_login.log

I just see:

 

[com.jamf.connect.login] - Info - LoginSwiftMech: Initializing DeMobilize mechanism.
[com.jamf.connect.login] - Info - Settings: Found managed preference in com.jamf.connect.login: DemobilizeUsers
[com.jamf.connect.login] - Info - DemobilizeMech: DeMobilize mech starting
[com.jamf.connect.login] - Info - DemobilizeMech: Account wasn't a cached account, but just a local one. Allow login.
[com.jamf.connect.login] - Info - LoginSwiftMech: Allowing login

Running this command (lifted from the NoMAD guide Rabbit posted) I can see the account does still seem to show as mobile, as it still references LocalCachedUser and our LDAP bits.

sudo dscl . read /Users/<username> AuthenticationAuthority

At this point I'm at a bit of a loss on what to do beyond just enabling the Connect login screen and crossing my fingers!

0 Kudos
3 REPLIES 3

junjishimazaki
Valued Contributor

Posted on ‎02-09-2022 05:09 PM

Hi, please look at this guide on how to demobilize an AD account. https://docs.jamf.com/technical-articles/Demobilizing_and_Unbinding_Mobile_Accounts_with_Jamf_Connec...

0 Kudos

FrogOnABike
New Contributor II
In response to junjishimazaki

Posted on ‎02-10-2022 01:40 AM

Thanks for the suggestion however that is what I started with however I suspect there is a problem as strictly speaking I'm not demobilizing a previously AD linked account, ours instead of linked to an LDAP directory.

0 Kudos

junjishimazaki
Valued Contributor

Posted on ‎02-10-2022 08:23 AM

Oh I see, thank you for clarifying. Sorry for the confusion. The demobilization process that Jamf Connect deploys requires the Mac to be AD bound. So, you're out of luck using Jamf Connect's demobilization function. The only way I know to do this is a long way.

1. You will need another admin account, log in with the admin account

2. Open Sys preferences, delete the user account, select the second option "Don't change the home folder". The user folder may be renamed

3. If the user folder is renamed after the user account has been deleted then rename to match the user's username to your org's naming convention.

4. Log out and log in via Jamf Connect. This will create a new user account but retain the user's data/permission.

0 Kudos