Dealing with Mobile Accounts after Un-enrolling Machine and Un-binding

New Contributor II

Hi everyone,

I work in a school, previously we haven't made a concerted effort to remove school applications, settings, management software etc from a students laptop once they finish, so I'm hoping to change that this year.

I'm currently looking for the best way of dealing with mobile accounts (as every student has one they use on their machine) after unbinding the machine from AD. Is it safe to let the students continue using their mobile account or will be there issues in the future (such as if they wanted to change the password?)

I've come up with a solution to create a local account as well. However it's then just a process of transferring the data across and advising the student on the process.

This cannot be a manual process because it'll become way to time consuming. Any advice on best practice or procedures would be great!



Honored Contributor II
Honored Contributor II

A mobile account with no connection to AD is really similar to a local account, but i would worry about all of the extra attributes and references to AD in the local user record afterwards.

I would go for switching them to a local account.

The process could be fully automated with these steps:

  1. Unbind from AD using dsconfigad -r...
  2. Delete the local cached account either with sysadminctl if it can, or by removing the local user account plist file and associated password files
  3. Create a new local account, I would use sysadminctl so you can script it and use a variable for the user name from the previous steps
  4. Reset the ownership of the home folder with chown -R username /Users/username

The only caveats would be:

  • You would need to reset the users password so you can set it when you create the new local account. I would probably make it something unique to them via a calculation. Before unbinding, you could read a few values from AD and make it something like "lastname-classnumber"
  • You will need to address keychain errors when the user next logs in as the password wont match. You could either delete it as part of the above process, or provide them with some instructions on what to do.

Hope this helps!

New Contributor II

Thanks for the response @davidacland .

Is there any chance of being able to do any of those steps when the user is logged in. I'm planning on making this policy available in Self Service so the students can run the process themselves.

My current thinking is that I'll have a prompt to create the local account and transfer all the data from the mobile account (except for the library folder) across to the new account. Once the process is finished I'll prompt the user to switch accounts. If I have some smarts in there I could place a launch item to remove the old mobile account once the new local user logs in. The only lost item would be the library folder.

Does this sound like a possibility?