I was wondering if anyone could clarify what should be written when setting up AD binding for DEP for the following fields:
I am presuming it would be something like this:
OU=OSX Devices,OU=OU NAME,DC=domain,DC=moredomain,DC=local
So, the question here is where are you looking to setup AD binding? In management settings, or within a prestage enrollment?
I have found way more success, and more consistent success, configuring AD in the prestage enrollment settings as opposed to from management settings.
Create/edit a prestage enrollment > click "Directory" in left toolbar > click "configure" > Select Active Directory from pull down > enter directory server hostname > enter username and credentials that are able to perform AD binding (here it is VERY useful if you have an account that has a password that never needs changed. In my organization, passwords are required to change every 90 days, but we have a service account set up for this express purpose with a password that never expires) > client ID is blank.
As for what you should put in the OU field, find an unbound machine, open directory services, then start manually binding machine. When you get to the area where you have to authenticate to bind, you'll get a box asking for username, password, and OU. Just copy the contents of the OU box and paste that into the OU field within the JSS.
Then, configure your UX settings as you wish.
I wanted to bump this as we could also use some clarification on these new settings, specifically the 'Client ID' setting. Is this a field that can be used to configure the name with which the computer binds to the domain? Overall the process works well, however it would be great if we could bind with something other than the DHCP assigned name.
For me DEP computer naming is broken or is not working as I expect. My expectations are to, assign the computer name(s) based on the CLIENT ID, have the user login with their domain account and receive a standard mobile account, and add a domain admin account that can prevision secure tokens to accounts on the computer.
In my current workflow I use a 3 character (site name), a dash, and the computer's serial number. My expirations are, this CLIENT ID is used for the computer's; Active directory computer object, LocalHostName, ComputerName, HostName, and NetBIOSName.
A requirement in our active directory environment is to create computer objects in our active directory OU before the device is bound to active directory.
In testing this I have used the following in my PreStage Enrollments, Directory;
This will is working, sort of. On the computers first use, the computer binds to active directory, using the existing computer object in active directory based on the CLIENT ID setting (three letter site name, a dash, and the computer serial number). Then the user is asked for their domain login & password, in this example the user name is "it_admin". The IT staff logins in during setup so the admin account that is created is our shared admin account and the user is not provisioned with an admin account. This also gives us the admin account required to provide secure tokens to other account that are added to the computer.
I expected all of the "Computer names" to be set to the Client ID, in this example, sur-C02T152XK29. The Problem is the computer names are being set with the users login+computer model, In this example it's using it_admin's MacBook Air or a variation depending on the name schema. Because we are suing this shared account the a variation of the computer name is being deployed over and over again.
Active Directory Computer Object:sur-C02T152XK29
Mac Bonjour Name LocalHost:it_admins-MacBook-Air
Mac Computer Name:it_admin’s MacBook Air
Mac Host Name:it_admin’s
Net Bios Name:IT_ADMIN'S MACB
I'm getting these names from the computer with the following commands;
Mac Bonjour Name LocalHost: scutil --get LocalHostName
Mac Computer Name: scutil --get ComputerName
Mac Host Name: scutil --get HostName
Net Bios Name:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName
Is there something I'm overlooking? Should I not expect the "all" the computers to be set to the client ID? Any suggestion on an alternative work flow that will still allow me to;
1. bind with a predefined computer objects in our active directory OU
2. set the Active directory computer object, LocalHostName, ComputerName, HostName, and NetBIOSName to the same or similar name.
3. Create the setup user (custodian) with a standard (mobile) account (with a secure token)
4. Create an IT admin mobile account with a secure token and the ability to create a secure token for other users.
5. Have the custodian be able to unlock & boot the FileVaulted device
6. Have an IT admin domain account be able to unlock & boot the FileVaulted device