Jamf Nation Community

I'll offer 2 alternatives one of which is a variation of what @mm2270 suggested.

1. Use AppleScript to display a list of OUs. In the JSS create a directory service binding for each OU. Then create a separate JSS policy for each of those bindings. And in your script on the computer, based on what the end user picks via the AppleScript dialog simply reference the JSS policy so that it can proceed to bind to AD. This avoids having to hardcode any password into a script or even putting them into JSS parameter fields which are not encrypted.

2. Create a generic OU for all Macs to join. On the server side of things, have a powershell script that runs periodically and moves Macs to the appropriate OU.

To build on these great ideas, if your users log into their Macs with AD accounts and you have setup your AD mappings correctly in the JSS LDAP settings, you should already be storing each user's department in your JSS computer inventory records. You could one up the PowerShell side of the house by using the JSS API to build a script that references the appropriate department from JSS inventory and then automagically chooses the appropriate OU when it is time to bind...

I had to do this but for different domains, not OUs, but I think it would work if you had a binding defined in the JSS for each OU. The script uses the API to get the list of directory bindings. A drop down list is made from that API data. The submit button triggers the appropriate binding policy.

Sounds similar to what someone else described. I used PHP and Cocoa Dialog to do it. If you're interested, let me know.

Thank you all! This really helped me wrap my head around how this should or could work. Much Appreciated! @koalatee thanks for posting your script here, I'm going to give this a shot :)

@koalatee It appears that this script is working exactly how I want it to, so thanks again! But I have one more question for you. It is giving me a lovely drop down list displaying all of my OUs. However, any OU that has a space are being treated as two different selections, I've looked though the script, but I can't seem to figure out how to get this to display properly., do you know how I could accomplish this? You can probably tell I'm new to shell scripts :)

@isenorma ah, yeah our OUs are all one string. We use periods (.) instead of spaces :)

One thing I do for API scripts in bash is to initially replace spaces with underscore (_) for display, then change it back when the selection is complete. I generally have issues with arrays with strings that have spaces in bash... there are ways you're supposed to be able to but I never have great success.

One more question for you @koalatee . I was able to get this partially working by manually entering in my OUs in --items of the cocoadialog section of the OU drop down list, i just had to quote each entry. all looks good now, but I don't actually see anything in the script to do the binding, all I'm seeing is this:

# Bind to AD #

# something needed for how our user groups are set up

if [[ "$OU_One" =~ "group 1" ]] || [[ "$OU_One" =~ "group 2" ]]; then echo "Not group 3, user group will be $domain$OU_One.OUusers" Ask_User="$OU_One"
else echo "group 3, user group will be $domain$OU_UserGroup.OUusers" Ask_User="$OU_UserGroup"
fi

It looks like this just attempts to give the user access to the OU? Not sure. I'm wondering if the bind part got sanitized? I've been looking at this for awhile, so I might just be going crazy. :)

@isenorma Actual binding happens in line 450 with dsconfigad. You shouldn't need to manually enter OUs, that's part of the whole point of the script ¯_(ツ)_/¯

To your question about user groups, that's to help decide which group to give admin access to. By default, it gives the OU.Admin group (we have 3 main sites within our OU) and the OU.Users group for either the main site OU or the individual OU. It's confusing, I know... but that is set in line 461.

@isenorma Look at line 37, say your dc is named my.company.server.com and you're trying to bind to the computersmac OU. Line 37 would look like:

DomainC="ou=mac,ou=computers,dc=my,dc=company,dc=server,dc=com"