DEP, AD Mobile Accounts, Secure Tokens, File Vault Encryption and You.

tangoadmin
New Contributor

My goal is to leverage DEP and JAMF to seamlessly allow AD logon. We cannot get to a point where we can get an AD Mobile account on to a machine to pass a secure token to in a hands off fashion. The last conversation with JAMF centered around Apple's best practice docs stating only the GUI First Time Setup account properly receives a secure token, with this in mind we updated our setup process and delay File Vault Encryption to "Current or Next User".

DEP Deployment Process:
1. Power On Mac
2. Ensure Remote Management Connection (AD Binding, FF Profile, MDM Profile, Application Delivery etc.)
3. Complete Setup Process, creating a gui created administrative account
4. Log out of gui admin account and in as the Mobile Active Directory User
Error!
5. The request for secure token enable account now appears, but using the gui created admin account fails, "password shake" failure. I assume because of FV encryption.

Biggest issue seems to be there isn't a way to properly delay FV encryption to allow a mobile account to access the disk.

The conversation with JAMF has moved to "Apple is moving away from Mobile Accounts", we use Nomad at JAMF etc. We could delay File Vault Encryption, manually adding the machine later, but that defeats the purpose of JAMF.

I'm hoping some Admins in larger orgs catch this and are kind enough to share their deployment process and or get some suggestions from the community. We have not looked at additional third party software products at this time.

Thanks in advance,
Erick

1 REPLY 1

Scotty
Contributor

Did you ever get a process going? Im in the same boat, we need to use ad accounts for now, NOMAD is not yet an option. 10.14.2 seems to have helped the SecureToken issues. But were still ironing out the deployment process.