I'm working through some remote support issues for macs, and stuck on this one. Mac is remote, and has to use a VPN to connect to the domain. Normally, after the machine joins the domain (no problem - I connect with the VPN and join) I log off as the local user then login as the domain user. Then I create a mobile account and all's well.
However, because the connection to the VPN drops once the local user is logged out, you can not login as a domain user because it can't look it up on the domain.
With Windows, we get around this issue by using "Change User" which doesn't actually log off the local user and doesn't break the VPN connection to the domain. I don't see how to accomplish this on a Mac, and because we support remote users with Macs, we need to be able to set them up on the domain.
One thing I tried was to create a local account using the domain ID/password, then login with it, connect to the VPN/domain, then tick "mobile account" but for that type of account it does not give a mobile option.
I also tried turning on Fast Switching (users) and selecting 'other user' and trying to log in then, but it won't allow it - apparently that breaks the VPN connection too (or perhaps Fast Switching requires an established account).
Thoughts? We just us OS Catalina
Would it not work to run the Equivalent to "GPupdate /Force" on a Win Machine - which would be "mcxrefresh"
Since the Domain User is known in the Active Directory but not yet on the Client Computer?!
Because it was noted, that a VPN Connection is being used - updating the approved, known Users should make this work, no?
@efil4xiN So, do you have some script that runs to remove that "one time use standard account"? Or, are you saying you are creating a local account with their username, and a dummy password. Then, there's a script to convert it from a local account to a mobile account and then they are prompted to sync their password with AD?
Curious on your workflow. I'm looking into moving to Jamf Cloud. I think once I'm there, then, this will all be a mute point for me. Thanks!
Has anyone ever use the Mac Built-in VPN (VPN Cisco IPSec). Setup Authentication Settings with your ASA Firewall "Share Secret" and Group Name if setup, add Server Address, account Name. I have been using it join computer to domain before installing JAMF while logged on as local admin account. After enrolling to JAMF and installed all our Standard Apps log back in as local admin connect to the Built-in VPN > Logout (using this VPN IPsec stays connected to VPN Network) > Log in to user's domain account.
@strayer liked it as expected this command long time finally found it thanks once again.
i can see one thing if mobile user/AD user logged in after a month user AD account password was changed but still, the machine working with old password is there any chance to check every login and do a reminder to change the password as like?
can help for the script development.
We had to update the script because techs were having issues( I adopted it from the previous admin). I took what we could and made a few updates:
sudo -H -u $ADuser touch /Users/$ADuser/Documents/image.txt
sudo -H -u $ADuser echo "This Mac was Filevaulted on $DATE" > /Users/$ADuser/Documents/image.txt
sudo -H will run as the user in the user's workspace, so just a check to make sure the creds are cached ( and you get a file you could query later)
/usr/bin/dscl . -change /Users/onetimeuselocaluseraccountnamehere UserShell /bin/zsh /sbin/nologin
This will lock the standard account used to login and setup the user AD account on reboot
This now working 100%.
Thank you all for posting this, it's amazing. It did create the account, but does not seem to have generated the secure token as expected so the new account can't log in from the FV screen
% sudo sysadminctl -secureTokenStatus <redacted> Password: 2021-05-21 15:06:02.632 sysadminctl[655:6512] Secure token is DISABLED for user <redacted>