Posted on 02-02-2023 01:44 PM
I'm new to this so I'm sure I making mistakes. We recently setup Jamf and Jamf connect. Now users can log into their Mac using their AD credentials. When a user is added to Jamf our installer set Jamf up to convert that users from a mobile user to a standard user. The problem is that as a standard user if you open terminal and use the id command it will only report back local groups not AD groups. The users access to certain network shares is based off of AD groups. If I force the user to stay as a remote user then all their groups are retained. However if the remote user changes their password it does not automatically sync. I feel like I'm missing something basic. I would like users to be able to login with the AD credentials and have all their AD groups and be able to change their passwords and have it sync. If anyone can point me in the right direction I would appreciate it.
Posted on 02-02-2023 09:36 PM
It sounds like you are encountering issues with group membership and password synchronization for Mac users who are logging in with their Active Directory (AD) credentials. To resolve these issues, you might consider the following steps:
Check Jamf Connect and Jamf Pro configurations: Ensure that the configurations for both Jamf Connect and Jamf Pro are set up correctly to support password synchronization and group membership from Active Directory. You can refer to the Jamf Connect and Jamf Pro documentation for guidance on how to properly configure these tools.
Verify network connectivity: Ensure that the Mac devices have stable and reliable network connectivity to the Active Directory domain controller. You can run network diagnostics to check for any issues with the network.
Review Directory Utility settings: Check the settings in Directory Utility on the Mac device to verify that the Active Directory information is correctly configured. This includes the server address, username, and password.
Test password synchronization: Try changing the password for a test user account and see if it correctly syncs to the Active Directory. If the password change is not being reflected in Active Directory, you may need to check the password synchronization settings in Jamf Connect and Jamf Pro.
If these steps do not resolve the issue, you may consider seeking additional support from Jamf team
02-03-2023 04:47 AM - edited 02-03-2023 04:51 AM
This sounds like its working as intended. When you demobilize an account you break its relation with Active Directory. So when you tell macOS to check the Accounts AD groups, there is no AD object linked to the account for macOS to check.
MacOS does not give two poops about a users AD Group memberships. So the Mac not knowing your AD groups does not matter as it does not use AD groups. JAMF Connect does create a kerberos tickets which can be used to tell network services who the user is. You can also configure SSO Apps like Microsofts Comp Portal, Okta Verify, and so on to identify the user.
I recommend focusing on checking the kerberos tickets.
As far as the password sync. That will never be automatic unless the user uses JAMF Connect to Change their password. JAMF Connect will update AD with the new password, and update the macOS Keychain with the new password. If the password change comes from anywhere other than JAMF Connect, the user will need to enter the new password in to JAMF Connect which will cause JAMF Connect to "reconnect" with Azure, and then update the keychain password.
Edit: I am flowing between using Azure and AD interchangeable. They are different, since you are using azure the JAMF Connect stuff would be AAD. The macOS stuff would be AD. Azure AD Connector is in there somewhere, but its too early to think about that.