Covert Mobile Account to Local Account Cautions

Eskobar
Contributor

Hello, 

I would like to push a policy to unbind machines and convert them to local ones.  I am wondering what can goes wrong!

1) Doe the user should retype his password?

2)will Filevault still synching ?

3) Should the user backup his data before running the job?

4) Will the asset keep same ID in Jamf Pro? "must still be managed by the MDM".

5) Is the user going to loose his preferences?

I make some attempts ending by affecting some of these fonctionalities.

Any way to make it happen with respect for these requirments? 

P.S: we do not use Nomad.

1 ACCEPTED SOLUTION

pkleiber
Contributor

Hi @Eskobar 

We use this solution described in this article:
https://www.matgriffin.com/macos/mobile-to-local-the-silent-way/ 

The Macs we converted from Mobile to local account had FV2 activated. After the described reboot, the users were able to login again and had no issues with FV2.

As you only convert your account your steps 1-5 don't matter as far as I understand.

You don't have to use NoMAD Login afterwards. But you should think about a strategy for maybe keep the local passwords in sync. For example we use the Apple SSO Extension to keep local Account passwords in sync with Active Directory:

https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

View solution in original post

6 REPLIES 6

junjishimazaki
Valued Contributor

Hi Eskobar. I think the answer to your question will depend on how you are implementing the user account conversion from a mobile account to a local account. If you can provide more details on how you are accomplishing that will help us answer your question. 

peterlbk
Contributor

Like @junjishimazaki said you need to specify a bit more what you would like to accomplish.

pkleiber
Contributor

Hi @Eskobar 

We use this solution described in this article:
https://www.matgriffin.com/macos/mobile-to-local-the-silent-way/ 

The Macs we converted from Mobile to local account had FV2 activated. After the described reboot, the users were able to login again and had no issues with FV2.

As you only convert your account your steps 1-5 don't matter as far as I understand.

You don't have to use NoMAD Login afterwards. But you should think about a strategy for maybe keep the local passwords in sync. For example we use the Apple SSO Extension to keep local Account passwords in sync with Active Directory:

https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

Eskobar
Contributor

Hi @pkleiber ,

Thanks so much for the links. Things went smooth/instantly like magic.

I performed several tests and everything is okey except one:

I cannot push Configurations profiles at "User Level". Config stuck in pending status.

If manually downloaded/installed: ok. Clear failed / pending configs and try again: same.

Any idea how to fix it ?

 

 

pkleiber
Contributor

Hi @Eskobar can you detail what kind of configuration profile you want to push?
Can you explain what you mean with "User Level"?

We scope configuration profiles mostly to smart groups which contain specific computers or All Computers

I did some research:

https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/MDM-Enabled_Local_User_Accounts.html

https://community.jamf.com/t5/jamf-pro/mdm-capable-users-how-to-add/td-p/151410

Maybe this will help 🙂

Eskobar
Contributor

Hi @pkleiber 

After unbinding and converting mobile to local:

I have 2 capable MDM users in Jamf.

I have a policy that I want to "apply at User Level"

na.png

The 2nd screen shot is only for reference "see users profiles" in the left payload.

The account I binded is still admin/MDM capable already but cannot receive config profiles:

- Jamf status: pending.

- Config profile download & manual install: ok

- Cancel & re push the config: same pending. wired