Help

Could someone explain what are the following payload settings means: (Configuration Profiles->Login Window)

scentsy
Contributor

Posted on ‎08-11-2016 01:40 PM

Thank you in advance for helping =)
I'm trying to understand each option under the payload "Login Window"

Local-only users may log in <--what does that means.
Local-only users use available workgroup settings <--what does that means.
Ignore workgroup nesting <--what does that means.
Combine available workgroup settings <--what does that means.
Always show workgroup dialog during login <--what does that means.

Thank you very much.

e1106334aa554e34a03becaf73c2b60b

0 Kudos
6 REPLIES 6

bmarks
Contributor II

Posted on ‎08-12-2016 11:13 AM

These become applicable if your Macs are bound to directory services (Active Directory, Open Directory, etc.) Is that the case in your environment?

0 Kudos

scentsy
Contributor

Posted on ‎08-12-2016 01:29 PM

yes, we use Active Directory.

I would like to know what would happen if I uncheck the "Combine available workgroup settings" I don't have a test environment.

please let me know if you have experience on best recommendation for macs that are bound to AD.

thank you.

0 Kudos

chris_kemp
Contributor III

Posted on ‎08-15-2016 01:17 PM

FWIW, our Macs are bound to AD & we have the same settings you have there. I don't know for sure, but I assume that combining workgroup settings means that it would honor those coming from AD as well as the JSS - we only set password policy on AD for the Macs, so I'm not sure what the ramifications are.

If you have a test machine to work with, though, you can simply scope the Profile to that machine & see what its behavior is (and if you don't have a test machine, you'd better get one - I can't imagine trying to manage a JSS without at least something to test things on!)

0 Kudos

msnowdon
Contributor

Posted on ‎09-26-2016 05:59 AM

@scentsy Did you ever find out what those settings did exactly? I'm trying to troubleshoot something when I came across those settings. I wasnt sure if "combining available workgroup settings" was necessary since we are bound to AD but not Open Directory. AD policies shouldnt have any effect on Macs as far I know.

Thanks

Mark

0 Kudos

scentsy
Contributor

Posted on ‎09-28-2016 07:19 AM

@msnowdon sorry for the late response....short answer no.

I did a test and when I have "Combine available workgroup settings" unchecked (I think) the permissions on the systems gets overwritten.

for example AD name is "usertest"
a have a macbook already enrolled with our JSS, we are using AD accounts, and when I uncheck "Combine available workgroup settings" the "usertest" account permissions gets overwritten and I have to manually change the permissions.

I did various test on unchecking and checking the following options under payload= Login Window-> Access-> User Server:

Local-only users may log in

Local-only users use available workgroup settings

Ignore workgroup nesting

Combine available workgroup settings

Always show workgroup dialog during login

the only option that seems to be messing up with the permissions is "Combine available workgroup settings" that's why now that's the only option I have checked under "Access"

3a793f84425f4624a849c6020cf3f6af

0 Kudos

msnowdon
Contributor

Posted on ‎09-28-2016 08:13 AM

@scentsy Thanks for your results. I had also asked my account rep and was told:

"Mark, That is correct, it would only matter if you are applying settings from another type of management software. So the box is not relevant to you. The default setting is to combine the settings as it doesn't affect if only using one.

Let us know if you have any other questions.

Shane
JAMF Support"

But if it's messing up permissions, then I'm just going to keep it selected.

Thanks

0 Kudos