DEP prestage + Mojave + Directory bind issue

SteveC
New Contributor III

Using DEP enrollment with Mojave & Domain Bind & skip account creation at enrollment results in you not being able to login to a domain account as the login text fields are hidden as long as the device can communicate with the domain controller (text fields re-appear if no DC connectivity).

Can be worked around by installing a configuration profile to set display login to name and password. Not really sure what the best way to workaround this for now is since I don't want to control these settings for most users, probably doing something to add the device to an exclusion list after the AD user has logged in (or based off standard software all devices will have installed), I'm open to suggestions on a better way to do that.

Issue does not appear in High Sierra.

6 REPLIES 6

summoner2100
Contributor

I don't do auto binding in my DEP enrollments, because we use a custom naming style that I haven't got working automatically yet, so it's via a script.

But I have seen this a couple of times (pre-mojave).. Are you pushing a local account to the machine during pre-stage, and are you making it hidden? I've done that before when I was testing, and everytime I hid the local admin account, it prompted with no login boxes. I had to get around it using the shortcut keys to get it to prompt.

As soon as I stopped hiding it, it stopped it. This is a good thing to keep an eye on though, as I do more trialling with Mojave installs.

tnielsen
Valued Contributor

I would suggest you scrap using Directory Bindings and just use a script after the fact. email me if you have questions. I really don't feel like typing out all my reasoning right not. It is numerous.
212.251.1211

sshort
Valued Contributor

While I haven't seen this exact issue, if you're skipping user account creation with AD I've found odd login/FV/secureToken issues in High Sierra and Mojave are resolved by having the (hidden) Jamf management account create an additional (non-hidden) admin user in the PreStage.

mconners
Valued Contributor

For our DEP and AD binding, we have created an exclusion smart group and any Mac that is enrolled and without the correct name (I believe we have 11 different possibilities), doesn't get bound. We then have a name change policy that runs at check in and when the Mac shows up, we change the name in the JSS and then the Mac checks in, the name gets changed and then bound to AD. It works with Mojave and High Sierra.

chris_miller
Contributor

As mentioned above, we also script renaming and AD bindings after pre-stage.

Look
Valued Contributor III

Im with @tnielsen there are a number of issues with configuration based AD binding that haven't really been addressed by Apple and/or JAMF so we currently use a post DEP script as well (also we like to name the computers from a database as well).