Posted on 07-18-2024 04:03 PM
Hello,
We are transitioning part of our fleet from AD binding to jamf connect; however, we have hit an odd snag. In the past, we'd be able to just install jamf connect and once the user logged in, it would demobilize their account and sync with their entra credentials. With this new batch with JC 2.37, the accounts become Local, however they then get locked. When a user tries to log in with Entra SSO, it loads, looks like it has accepted the credentials but then just returns to the login screen. It does not accept any password with local login aswell. One thing to note, the devices are not on premise when the change takes place, if that has any effect. If anyone has seen this and has a fix, it would be much appreciated.
-Jack
Posted on 07-19-2024 05:47 AM
Are the local accounts actually locked? MacOS does have the ability to lock and account, and Jamf Pro can see it.
The Three things I would check:
Posted on 07-19-2024 08:22 PM
The issue is unrelated to Microsoft/Conditional Access. Other Microsoft accounts are able to log in on the machine, the only accounts facing the issue are ones that have migrated from mobile AD accounts to local.
After resetting the login screen back to default, it claims the account is locked. This is odd, as the account is local at this point. The issue starts when the account becomes local.
Logs weren’t significant/helpful.
The workaround we have found is logging into our IT admin account and setting the users password to what their microsoft account is, which then allows them to login.
Posted on 07-22-2024 01:16 PM
Do you maybe have a more restrictive local password policy than your default AD domain policy? Maybe test running "pwpolicy -clearaccountpolicies" on an affected machine (as a working admin account), then try the local user login again.
Posted on 10-16-2024 05:28 AM
Hi @jsommers, did you found a fix for this problem?
We have the same issue with some of our users. At the moment, we didn't find out anything in common between the users/devices with this issue. We have a support case with this problem and the only thing that appears in the logs is this line:
2024-10-11 12:31:24.116539-0300 0xfd15 Error 0x0 4756 0 authorizationhosthelper.x86_64: (JamfConnectLogin) [com.jamf.connect.login:DemobilizeMech] Something went wrong, there is no password in user data context
Before installing JC v2.37 the user had never reported a difficulty with its credentials. Right now we are working to try to get that "user data context" and see what we can find there.