Skip to main content
Question

Change accounts from Mobile to Standard with no AD bind

  • January 26, 2022
  • 3 replies
  • 65 views
D
Forum|alt.badge.img+2

Hi All-

A few moving parts in this that I thought I would open for suggestions, experience.

We are migrating out AD forest...the whole thing...to a whole new AD forest and domain.

As part of this project I would like to no longer bind our Macs to AD, use the Apple SSO extension, all of which requires a change of the account type from Mobile to standard/local.

Has anyone done the move from mobile to local accounts without incident? I am thinking of certs breaking...or any other anomalies that come with that change.

I know this is a big wide open subject, but any two...or one...cents to help out would be appreciated. I've also engaged Apple in the discussion, but thought I would ask here.

TIA,

doug

    3 replies

    pkleiber
    Forum|alt.badge.img+9
    • pkleiber
    • Contributor
    • January 26, 2022

    Hi @Dougvo ,

    check out my response in this thread:
    https://community.jamf.com/t5/jamf-pro/covert-mobile-account-to-local-account-cautions/m-p/252883

    Regarding the kerberos SSO extension you can checkout this link:
    https://macos.it-profs.de/kerberos-sso-in-enterprise/

    pkleiber
    Forum|alt.badge.img+9
    • pkleiber
    • Contributor
    • January 26, 2022

    This guide is a bit older but contains some useful information about the Kerberos SSO Extension from Apple:
    https://hcsonline.com/images/PDFs/Jamf_Kerberos.pdf

      easyedc
      Forum|alt.badge.img+16
      • easyedc
      • Esteemed Contributor
      • January 26, 2022

      I'm in a similar boat to you, about to kick off my conversions.  I had help from Apple Professional Services. They offered some best practices and conversion scripts that look to do the trick.  It might be worth investigating if you could engage them for a little bit, though I understand that costs money.  It wasn't the main topic of our engagement, but it was a good side-convo. I'd done most of the pre-work but they walked through the few questions I'd had and double checked my work for Kerberos SSO. 

      They did mention that @rich.trouton's conversion scripts also could have been used - check his blog out if you haven't already at https://derflounder.wordpress.com 

        Terms & ConditionsCookie settingsAccessibility statement