MAC OS On Prem File Server map drive issue post password change

Ayushjain007
New Contributor

Hello,

We have recently got this situation. Little bit about our infra. We have On Prem AD and Azure AD. We have MAC which are managed by Intune.

We recently setup our Azure AD and On Prem AD Sync, we started to see an issue where if a person reset there password then on MAC they start to get prompt for there on prem file server mapped network drive for password. Even if they key in Password it do not work and it keep prompting. Only solution which work is where users must remove any credentials that’s saved in their Keychain related to they on prem file server.. Once the saved password(s) are deleted for On prem file server, reboot their MacBook. Once it’s booted and signed in, the system would prompt them to enter their updated credentials the next time they open their network folder.

Unfortunately this is not a good user experience so asking if JAMF has any solution or any other solution that might work.,

1 REPLY 1

howie_isaacks
Valued Contributor II

First are these Macs bound to AD? If they are, that is adding to your problem. The macOS Keychain stores login credentials for just about everything that requires a password. When a user resets or changes the password to a specific server or service, they will be prompted to use the new password. If they make sure to select the option to save the new password in Keychain, they won't be prompted for the password again. If these Macs are bound to AD, and the user is changing their AD password, it's important that they change their password using the macOS generated prompts and NOT IGNORE THEM UNTIL THE PASSWORD EXPIRES!!!!! Doing the password change within macOS means that the user's Keychain password will be updated along with the Mac's login password. This will make the whole process run a lot smoother. Intune works really well for some things on Mac but it's not a full-on MDM and management solution for macOS. I suggest that you move to something that is like Jamf Pro, and if you are doing AD binding on Macs, STOP. There are a lot better ways to have user login names and passwords synced with AD. My company uses a single sign-on profile on our Macs. It's one of the built-in profile payloads available in Jamf Pro. It syncs the local Mac password with the AD password but keeps the user account a local macOS account. Users will get prompted by the profile when it's time to change their password. The profile also sets up the Kerberos relationship between the Mac and AD so we won't be prompted to login to most of our internal resources. Only a few ask us to do so because they have different security requirements.