Posted on 02-08-2021 08:01 AM
I've run into a very puzzling issue on our Apple Silicon MacBook Pros. A little background: We have a post-image/refresh workflow in Jamf Pro that does a bunch of things, such as renaming the Mac, binding it to AD, and installing various pieces of software. It has worked for several years now, and has been updated to work with Big Sur. Everything functions as expected on Intel Macs running both macOS Catalina and Big Sur. However, when it the workflow runs on an Apple-Silicon based Mac, the Mac doesn't give admin privileges to an AD group that should have admin on that machine. So, when I log into the machine using my AD credentials, I should be admin, but I am not.
Because I can log in with AD credentials, I know the machine is bound to the domain. If I run /usr/sbin/dsconfigad -show, the group is shown as an allowed Admin group. Running dsmemberutil checkmembership -U USERNAMEHERE -G admin shows that my user is a member of that group. I've tried leaving the machine connected to ethernet for 20-30 minutes, and rebooting, but nothing seems to resolve it.
The weirdest part is that if I run an Intel machine through this workflow, the AD group is recognized, so I'm an admin. I confirmed this on Friday by wiping two M1 MacBook Pros and one Intel MacBook Pro, so they would run through the workflow. I did this several times with each Mac, and every time, the M1's failed, but the Intel worked.
Does anyone know what might be causing this? I've run out of things to try and my google-fu has failed me. Any suggestions would be greatly appreciated. Thanks in advance!
Posted on 02-08-2021 08:30 AM
To rule out an issue that's specific to the M1 Macs and your AD environment that doesn't involve your workflow in Jamf, are you able to manually bind your M1 Macs to AD?
Posted on 02-08-2021 12:48 PM
That is an excellent question. I am currently working off campus, but when I'm on campus later this week I'll try to do a manual bind.
Posted on 02-12-2021 02:08 PM
Sorry for the delay in responding - I was finally on campus today and able to test. If I manually bind an M1 Mac, I get the same result - my domain user does not get Admin privileges. However, if I go into Directory Utility and make a change (in this case I deleted and re-added the group in the "Allow administration by:" box,) when I click OK and check my domain user, they suddenly have the admin privileges they were supposed to. It's almost as if making a change prods macOS to communicate with the AD server(s) and it suddenly corrects the mistake. Very odd! Not sure how we're going to deal with this in production. I've been in communication with our Apple System Engineer, perhaps he has some ideas...I will definitely post again when I have more info.
Posted on 04-18-2021 03:57 PM
@jkarpenske were you able to come up with a fix for this? I seeing the same thing with accounts that have domain admin access.
Posted on 04-18-2021 04:18 PM
make sure you are using the FQDN of the admin group. No issue with AD and admin groups since High Sierra using the same script. Intel/M1 all work. ie 'Domainadmin group"
Posted on 04-20-2021 01:19 PM
We have a policy we just scoped out to our Big Sur Macs that runs the following command under the Files & Processes payload: dsconfigad -groups "enterprise admins,domain admins,domainAD group"
Seems to work. It does for some reason though require a logout and login to take effect but I'm a bit suspicious of the Users & Groups pane in System Preferences as it seems a bit flaky in showing the Admin tag on accounts. I had it not show and after closing System Preferences and reopening it, it did show. But then just to make sure tested to ensure my domain account can unlock System Preferences and it can.
Posted on 04-21-2021 09:25 PM
Thanks @mthoma, looks like its working now