Help

AD Bind and Sonoma Upgrade

akehren
New Contributor III

Posted on ‎02-28-2024 06:57 PM

I recently had Jamf Pro update my MacBook to 14.3.1 from Ventura. The computer is AD bound and we have the Domain Admins and another group we use set so they should be computer admins. Before I pushed the upgrade my account was listed as "Mobile, Admin" but after the upgrade it just say "Mobile". I logged out and logged in as another account from our admin group and it didn't give that account Admin status either. At this point I suppose my next step would be to try to rebind the Mac to AD and hope that corrects the issue.

Has anyone else seen this happen?

0 Kudos
5 REPLIES 5

AJPinto
Honored Contributor II

Posted on ‎02-29-2024 06:27 AM

Has anyone else seen this happen?

Honestly, you will find most of us stopped AD binding years ago. Unfortunately, apple REALLY does not want you AD binding anymore. However, I suggest moving your Admin access check to using local groups rather than AD groups for stability. 

scottb
Honored Contributor

Posted on ‎02-29-2024 01:51 PM

Yeah, AD binding is like imaging...🪦

0 Kudos

akehren
New Contributor III

Posted on ‎02-29-2024 04:03 PM

I knew that the Jamf community hasn't been fond of AD for some time now. Maybe it's time for us to give Jamf Connect another look. I'd tried hard to avoid using AD. I even managed to get a Mac to use Google for it's directory binding, but I couldn't figure out how to mass deploy it through Jamf or how updating the certificate for it was going to work. It just seemed odd that the system upgrade would only partial break the binding.

When you say, local groups, do you mean local groups on the Mac? I see a bunch of scripts for adding admin access for individual users, but nothing for linking access to group membership in Jamf or assigning access to a group pushed from Jamf.

roiegat
Contributor III

Posted on ‎03-05-2024 11:17 AM

While AD binding isn't ideal...sometimes it's needed.  But what we do is create a local user account for the user and then use the SSO configuration profile to connect that local account with AD.  

What you can also do if you have accounts that you know should be admin is create a script that checks the user and make sure they are in the admin group.  If not, puts them in it.  

0 Kudos

AvaBishop
New Contributor

3 weeks ago

Thanks for the info, I will keep it in my mind.

0 Kudos