Jamf Nation Community

Dougvo · ‎01-25-2022

Hi All-

A few moving parts in this that I thought I would open for suggestions, experience.

We are migrating out AD forest...the whole thing...to a whole new AD forest and domain.

As part of this project I would like to no longer bind our Macs to AD, use the Apple SSO extension, all of which requires a change of the account type from Mobile to standard/local.

Has anyone done the move from mobile to local accounts without incident? I am thinking of certs breaking...or any other anomalies that come with that change.

I know this is a big wide open subject, but any two...or one...cents to help out would be appreciated. I've also engaged Apple in the discussion, but thought I would ask here.

TIA,

doug

pkleiber · ‎01-26-2022

Hi @Dougvo ,

check out my response in this thread:
https://community.jamf.com/t5/jamf-pro/covert-mobile-account-to-local-account-cautions/m-p/252883

Regarding the kerberos SSO extension you can checkout this link:
https://macos.it-profs.de/kerberos-sso-in-enterprise/

pkleiber · ‎01-26-2022

This guide is a bit older but contains some useful information about the Kerberos SSO Extension from Apple:
https://hcsonline.com/images/PDFs/Jamf_Kerberos.pdf

easyedc · ‎01-26-2022

I'm in a similar boat to you, about to kick off my conversions. I had help from Apple Professional Services. They offered some best practices and conversion scripts that look to do the trick. It might be worth investigating if you could engage them for a little bit, though I understand that costs money. It wasn't the main topic of our engagement, but it was a good side-convo. I'd done most of the pre-work but they walked through the few questions I'd had and double checked my work for Kerberos SSO.

They did mention that @rtrouton's conversion scripts also could have been used - check his blog out if you haven't already at https://derflounder.wordpress.com

Jamf Nation Community

Change accounts from Mobile to Standard with no AD bind