AD Binding strategies with Jamf Cloud when Mac is not connected to an internal corporate network

Contributor III

I don’t want this thread to turn into a discussion about the merits of binding to AD or not binding to AD. Let’s assume an organization has a legit need to bind to AD (802.1x EAP-TLS for instance).

Jamf Cloud (or a DMZ JSS) gives us the ability to deploy Mac systems when they are not connected to an internal corporate network.

Binding to AD is often part of a deployment process. However, if the system is not connected to an internal corporate network, that step may fail.

The obvious answer is wait until the systems is connected to internal network, then bind to AD.

How are you dealing with this? Have you designed a super slick way to know when the system is on the internal corporate network, and then an AD bind policy automagically runs?

Tell us all about it. :-)


Contributor III

Not super slick, we just have it in self service to be run when on the network. I don't think this is the best way, but it does work every time, and a user/tech only has to do it once per client.

Contributor II

If your internal network has a definitive IP address range you can create a smart group to have a policy to run only on machines that have a specific IP address. So whenever they are connected to your internal network, after they check-in they will attempt to bind. We've handled some printer installs this way.