Help

Can't bind until connected

k3vmo
Contributor II

‎02-16-2024 09:01 AM - edited ‎02-16-2024 09:04 AM

We're moving off this to Jamf Connect, however I have continue binding for at least the next quarter.

The device must exist in AD - part of the requirement to get past ISE on the internal wired & wireless network.

The org runs a hybrid setup with on-prem AD syncing to Azure.

Can't bind in prestage because it can't reach the controllers since the computer is off-net.

We have situations where the bind policy fails on the first  runs - because the device hasn't yet connected to the VPN.  Once per computer with rerun on failure.  

Configuration profile throws errors because it can't bind with the system off-net.

I'm over thinking this and can't find a way to effectively bind a new out of box system.

I appreciate any input.

0 Kudos
Reply
3 REPLIES 3

sdagley
Esteemed Contributor II

‎02-16-2024 11:13 AM - edited ‎02-16-2024 11:15 AM

@k3vmo When my org still needed to bind Macs to AD my approach was to use two policies to drive the binding process (our network topology prevents using a Network Segment restriction to limit a binding policy from running if a Mac wasn't on the internal network which would have been the "easy" way):

Policy 1 was a Bind policy and used a custom trigger (e.g. DoADBind)

Policy 2 ran a script that checked to see if an internal only server was accessible, and if so it ran the command "jamf policy -event DoADBind" to trigger the bind

0 Kudos
Reply

Bol
Valued Contributor

Posted on ‎02-17-2024 02:56 AM

Very similar for me, my enrolment complete would check for a domain controller then proceed to call the policy by custom trigger event. If not, wait for device to be back on site before trying.

Enrollment complete policy
ping -c 1 mydc.domain.internal &> /dev/null && jamf policy -event ADbind || echo "Not on site for AD bind."

ADbind policy
Scoped Startup / AD Not Bound / Limited by internal network segments. When complete;
/usr/bin/touch /Library/Application\ Support/JAMF/Receipts/EnrolmentADBind.pkg

0 Kudos
Reply

mojo21221
Contributor II

Posted on ‎02-20-2024 09:47 AM

Not sure how you have ISE verifying the device in AD. But I have seen in the past that you could (From AD Users and Computers) add a new computer to the OU that the mac would be bound to. Then as long as the mac has the correct cert it will meet ISE requirements. You could also get fancy and use the jamf API to create a list of devices in jamf then leverage a power shell script to import those computer names into AD. 

0 Kudos
Reply