Jamf Nation Community

PhillyPhoto · ‎08-26-2015

I'm trying to build a "task sequence" through imaging that mirrors what we do on the Windows side. Ultimately what I would like is to have it 100% (or 99%) ready to go after the reboot from Imaging (still looking at FileVault options). So I have some configuration profiles setup now, and there's one that is hanging up on me until an inventory runs. That policy is for the network configurations (WiFi, wired, VPN), and pulls an AD cert at the same time.

I don't want the config to be pushed to the machine until I know it's on the domain, so right now I have 2 smart groups. 1 is for machines with a certain file I put on the machine to indicate it's going through this process, but NOT bound to AD. The 2nd is for machines that have the file and ARE bound to AD.

Looking through the jamf.log file and refreshing the machine in JSS while it's booting, it looks like it binds to AD while it still has the Apple logo and the progress bar (which is after the inventory request from Imaging). So it's stuck in this limbo land where it just updated the inventory but JSS doesn't know that it's bound yet.

I've built a policy strictly that updates the inventory for the non-bound computer group. I set that for start-up, login, logout etc but it doesn't actually run until the logout from my first login (the login isn't triggered). Below is the log for a machine I've tried this on. You see it update the inventory, THEN bind to AD, then it tells JSS I'm logging in, but doesn't get the login hook but does then get the logout hook and the login hook for the next login.

Tue Aug 25 11:15:43 MyMac jamf[589]: Executing Policy Inventory Update...
Tue Aug 25 11:16:00 MyMac jamf[1001]: Binding MyMac to ad.domain.com...
Tue Aug 25 11:16:13 MyMac jamf[1001]: Bound to Active Directory (ad.domain.com)
Tue Aug 25 11:16:52 MyMac jamf[581]: Informing the JSS about login for user localUser
Tue Aug 25 11:17:22 MyMac jamf[1346]: Checking for policies triggered by "logout" for user "localUser"...
Tue Aug 25 11:17:23 MyMac jamf[1346]: Executing Policy Inventory Update...
Tue Aug 25 11:18:33 MyMac jamf[1775]: Informing the JSS about login for user adUser
Tue Aug 25 11:18:33 MyMac jamf[1775]: Checking for policies triggered by "login" for user "adUser"...

alexjdale · ‎08-26-2015

I personally recommend avoiding smart group-driven policies during imaging, replacing that with a control script where needed. I have a script that runs after reboot which executes an AD bind policy and then, if that is successful, installs the config profile for wireless which pulls an AD cert. It all happens in one script that is part of the configuration so there are no inventory dependencies.

bentoms · ‎08-26-2015

@PhillyPhoto we achieved this by a "post flight" policy that writes a dummy receipt that we then scope the profiles to a smart group based on that receipt.

More info here.

PhillyPhoto · ‎08-28-2015

I tried to change the config file to include the directory binding, but it failed miserably. With the directory binding, I couldn't get it to install on any machine - newly deployed or existing. I did put it in a triggered policy at the post-boot, but it still doesn't see it until I login (bind to AD then refresh inventory).

I'm seeing a similar issue with a different set of machines I'm building. It would load the policy and enable FileVault for the "adobeinstall" account since that's the account used during post-boot, and the next line on the log was it deleting the account. Rebooting under the account created via script did nothing at all for FV. I put that one in Self Service, so it definitely won't get installed until there's manually intervention.

I might end up doing the same with the main policy I was trying to get working. It just seems like it's setting up more points of failure than I wanted, relying on someone to install it.

Jamf Nation Community

AD Binding not picked up after Imaging