- Jamf Nation Community
- Products
- Jamf Pro
- Dealing with Mobile Accounts after Un-enrolling Ma...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Dealing with Mobile Accounts after Un-enrolling Machine and Un-binding
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-12-2016 06:37 PM
Hi everyone,
I work in a school, previously we haven't made a concerted effort to remove school applications, settings, management software etc from a students laptop once they finish, so I'm hoping to change that this year.
I'm currently looking for the best way of dealing with mobile accounts (as every student has one they use on their machine) after unbinding the machine from AD. Is it safe to let the students continue using their mobile account or will be there issues in the future (such as if they wanted to change the password?)
I've come up with a solution to create a local account as well. However it's then just a process of transferring the data across and advising the student on the process.
This cannot be a manual process because it'll become way to time consuming. Any advice on best practice or procedures would be great!
Thanks!
Labels:
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-13-2016 12:33 AM
A mobile account with no connection to AD is really similar to a local account, but i would worry about all of the extra attributes and references to AD in the local user record afterwards.
I would go for switching them to a local account.
The process could be fully automated with these steps:
- Unbind from AD using
dsconfigad -r... - Delete the local cached account either with
sysadminctlif it can, or by removing the local user account plist file and associated password files - Create a new local account, I would use
sysadminctlso you can script it and use a variable for the user name from the previous steps - Reset the ownership of the home folder with
chown -R username /Users/username
The only caveats would be:
- You would need to reset the users password so you can set it when you create the new local account. I would probably make it something unique to them via a calculation. Before unbinding, you could read a few values from AD and make it something like "lastname-classnumber"
- You will need to address keychain errors when the user next logs in as the password wont match. You could either delete it as part of the above process, or provide them with some instructions on what to do.
Hope this helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-13-2016 10:53 PM
Thanks for the response @davidacland .
Is there any chance of being able to do any of those steps when the user is logged in. I'm planning on making this policy available in Self Service so the students can run the process themselves.
My current thinking is that I'll have a prompt to create the local account and transfer all the data from the mobile account (except for the library folder) across to the new account. Once the process is finished I'll prompt the user to switch accounts. If I have some smarts in there I could place a launch item to remove the old mobile account once the new local user logs in. The only lost item would be the library folder.
Does this sound like a possibility?
Thanks!
