I'm working through some remote support issues for macs, and stuck on this one. Mac is remote, and has to use a VPN to connect to the domain. Normally, after the machine joins the domain (no problem - I connect with the VPN and join) I log off as the local user then login as the domain user. Then I create a mobile account and all's well.
However, because the connection to the VPN drops once the local user is logged out, you can not login as a domain user because it can't look it up on the domain.
With Windows, we get around this issue by using "Change User" which doesn't actually log off the local user and doesn't break the VPN connection to the domain. I don't see how to accomplish this on a Mac, and because we support remote users with Macs, we need to be able to set them up on the domain.
One thing I tried was to create a local account using the domain ID/password, then login with it, connect to the VPN/domain, then tick "mobile account" but for that type of account it does not give a mobile option.
I also tried turning on Fast Switching (users) and selecting 'other user' and trying to log in then, but it won't allow it - apparently that breaks the VPN connection too (or perhaps Fast Switching requires an established account).
Thoughts? We just us OS Catalina
@efil4xiN What I don't understand is if you have the AD users credentials already, you can login as that user and create their account right then and their. In my company, we are not permitted to share credentials, so, this poses a problem for me. I was hoping the script somehow queried AD and pulled the users password in automatically, but, that doesn't seem to be the case here. Or, I'm missing something....
Would it not work to run the Equivalent to "GPupdate /Force" on a Win Machine - which would be "mcxrefresh"
Since the Domain User is known in the Active Directory but not yet on the Client Computer?!
Because it was noted, that a VPN Connection is being used - updating the approved, known Users should make this work, no?
@efil4xiN So, do you have some script that runs to remove that "one time use standard account"? Or, are you saying you are creating a local account with their username, and a dummy password. Then, there's a script to convert it from a local account to a mobile account and then they are prompted to sync their password with AD?
Curious on your workflow. I'm looking into moving to Jamf Cloud. I think once I'm there, then, this will all be a mute point for me. Thanks!
Has anyone ever use the Mac Built-in VPN (VPN Cisco IPSec). Setup Authentication Settings with your ASA Firewall "Share Secret" and Group Name if setup, add Server Address, account Name. I have been using it join computer to domain before installing JAMF while logged on as local admin account. After enrolling to JAMF and installed all our Standard Apps log back in as local admin connect to the Built-in VPN > Logout (using this VPN IPsec stays connected to VPN Network) > Log in to user's domain account.
@strayer liked it as expected this command long time finally found it thanks once again.
i can see one thing if mobile user/AD user logged in after a month user AD account password was changed but still, the machine working with old password is there any chance to check every login and do a reminder to change the password as like?
can help for the script development.
We had to update the script because techs were having issues( I adopted it from the previous admin). I took what we could and made a few updates:
sudo -H -u $ADuser touch /Users/$ADuser/Documents/image.txt
sudo -H -u $ADuser echo "This Mac was Filevaulted on $DATE" > /Users/$ADuser/Documents/image.txt
sudo -H will run as the user in the user's workspace, so just a check to make sure the creds are cached ( and you get a file you could query later)
/usr/bin/dscl . -change /Users/onetimeuselocaluseraccountnamehere UserShell /bin/zsh /sbin/nologin
This will lock the standard account used to login and setup the user AD account on reboot
This now working 100%.
Thank you all for posting this, it's amazing. It did create the account, but does not seem to have generated the secure token as expected so the new account can't log in from the FV screen
% sudo sysadminctl -secureTokenStatus <redacted> Password: 2021-05-21 15:06:02.632 sysadminctl[655:6512] Secure token is DISABLED for user <redacted>
Hello, Hope I might get an answer to this older thread. I've followed the steps above and found success a few months ago, however - I now am running into an issue I can't seem to get around. I'm getting an error when trying to create the mobile account. I'll share the steps I am doing to make this possible.
1. Setup & Connect to VPN
2. Set DNS to company IP and domain
3. Bind to the company domain through Users & Groups
4. Open Terminal and run the below script and get the following error.
For the admin username/password and the 'user to add' username/password, I enter those each in their own quotes due to special characters. Yes, I do not include the '$' in the command either.
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a "$adminUser" -U "$adminPass" -n "$userToAdd" -p "$userPass"
I then get prompted with the below and enter a quotation mark
I then get prompted for the admin password, and enter that.. Afterwards, I get the below message.
*** error: "-n username" is a required argument
usage: createmobileaccount -n username [-h homepath] [-P | [-p password]] [[[-a username] [-U password]] | [-D]] [-v] [-V]
-n username : user record name.
-h homepath : user home path; Default is "/Users/<username>".
-p password : user password.
-P : prompt for user password.
-a username : opt SecureToken enabled admin user name.
-U password : opt SecureToken enabled admin user password.
-D : don't prompt for SecureToken enabled admin information.
-v : verbose output.
-V : version.
createmobileaccount -n jsmith
createmobileaccount -v -P -n jsmith
createmobileaccount -vxn jsmith -h /Volumes/HD3/jhome
- createmobileaccount must run as root.
- If you do not specify a password, the account's cached password will be created during the account's first log in.
- On encyrpted APFS volumes, an existing admin SecureToken user name and password is required in order for this account to be used at the EFI login window.
- External accounts are no longer supported as of 10.15.
- The old FileVault encrypted home directory mechanism (using -e) no longer works in 10.13 or later (but was only removed here in 10.15).
I've also tried the command without specifing the userpass (-p) and also tried putting the 'user to add' credentials in front of the admin credentials.
Any advise would be greatly appreciated.