Looking for advice,

Currently, all our Mac are bound to AD and they are using EC to manage the password change. I have tasked with getting all our Mac's off the domain and then just having EC.
When testing - I unbind my machine from the domain and then test EC ( Change Password) it fails.
Do I need to have a Config Profile setup to handle the connection? or although im unbinding machines from the domain should I even use EC? and just config a Password Policy?


Are those accounts being converted from Mobile to Local accounts in the process?

@andrew.nicholas - yes they will be moved from Mobile to Local accounts.

When the computers are bound, are you sure EC is working properly? Have you testing changing the password with EC before unbinding?

How are you configuring your EC? Are you creating a config profile from the .Plist and pushing via JSS?

My Mac are being bound during the imaging process. Yes It would fine. For testing - Im taking my already bound mac and removing the domain entry. Then rebooting the mac. Login works fine but when i test ( change Password) via the EC app it fails.
We have the app install and then using a Config profile.

Just to back up a moment, the account you are logging into to do the password change, is that a pure local account from the start, or was it an AD cached mobile account? If it's the latter, has it been properly converted into a local account? There is a real difference between an account that has it's origins in the local domain versus an external domain derived account. If they aren't being properly converted to a true local account I imagine you may see the error you're encountering because the account still believes it belongs to an AD domain. There are keys in the account that you can view with dscl that indicate it's original node was from AD, not the local machine.

How can I create config profile from the Plist and pushing via JSS?