Help

Best Practice - AD Integration & Check

MBrownUoG
Contributor

Posted on ‎06-11-2018 01:21 PM

Hey folks,

I'm relatively new to Jamf and taking over a system three years in development by our previous Mac admin, and I was wondering if anybody had any tips on best practice for AD enrollment and then checking for any Macs that drop off, with a mechanism for automatic re-join?

We have a setup at the moment that deploys an initial policy with a directory binding payload, and then a system whereby a script is run to re-bind the Mac should it drop into one of several computer groups based on a "joined to AD" extension attribute.

That extension attribute is proving troublesome however as it has stopped populating via our api script (case open with Jamf at the moment).

However while I'm poking around with that, I was wondering how other folks handle this? We're an educational institution with a large amount of labs, so I was hoping to streamline and make this as efficient as possible.

0 Kudos
8 REPLIES 8

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎06-11-2018 02:09 PM

We have used the policy and EA route previously, but it is difficult to get it to run without issues. DS caching and other aspects can give inaccurate results.

We've had more positive results by using Configuration Profiles to bind recently so I'd recommend trying that out.

kerouak
Valued Contributor

Posted on ‎06-12-2018 12:35 AM

Set up a smart group that captures the unbound macs, then run the rebind from that.. Ongoing.
That's how we resolved it.

MBrownUoG
Contributor

Posted on ‎06-12-2018 02:01 AM

Thanks both. Kerouak, just to check, is your smart group using the "Active Directory Status" advanced criteria to filter the unbound Macs? And do you use a script to rebind?

0 Kudos

kerouak
Valued Contributor

Posted on ‎06-12-2018 02:45 AM

@MBrownUoG There is a Criteria "AD Connection Check" Then enter value "Unbound'

Use that one.

G'Luck!

0 Kudos

MBrownUoG
Contributor

Posted on ‎06-12-2018 04:53 AM

Hmmm, I seem to be missing that one?

The only criteria I can see on our system regarding AD is the built-in "Active Directory Status", and then our extension attribute "AD Member Test".

0 Kudos

kerouak
Valued Contributor

Posted on ‎06-12-2018 06:04 AM

oops, sorry mate, That was an EA that was produced a while ago.. I forgot :-)

We use our EA and the "Active Directory Status"

0 Kudos

MBrownUoG
Contributor

Posted on ‎06-12-2018 02:39 PM

Out of curiosity, David, you mentioned using configuration profiles instead of policies and EA... is there a setup guide i could have a look at kicking around anywhere? Do you configure one profile to join the Mac and then leave it at that, or do you have any checks in place to re-apply, etc?

0 Kudos

mark_mahabir
Valued Contributor

Posted on ‎06-28-2018 04:41 AM

Does anything here help?

0 Kudos