We have been using Jamf Pro with jamf connect since May and are rolling out all new Macs via DEP. We have around 300 existing MacBooks, which are AD bound and have mobile accounts. Some of them with admin rights. Is there a best practice on how to put those 300 MacBooks in jamf? We have already tested to migrate the accounts and demobilize the mobile accounts to standard accounts. But that's not very UX friendly and entering 3 passwords when logging in is two too many. I'm almost thinking about whether the old MacBooks should be integrated without jamf connect and login. So the macs are in jamf, but still in the domain with mobile accounts and have to change the password via system settings - users and groups.
we are currently AD bound but want to go to connect for specifically because of problems with encryption and mobile accounts. That said I do not think there is any thing inherently wrong with binding and besides filevault all other functions seem fine. For full management you will want DEP enrolled regardless though, you can "fool" the device into this status through the re-enroll terminal command with out resetting the device.
I would opt-in for Connect and demobilize. Connect has its quirks that is for sure but the demobilization and removal of local admin privileges is worth it. When migrating your users, the first time logging in and connecting the local accounts this should be the only three-time login event. After that, it will be only two logins at the Connect login screen. I agree two times is too many. I wish Jamf would make the local account password check at an interval and not every time.
One of the major issues I've run into with macs with user accounts that have been demobilized is Filevault, the keychain, and changing the user accounts password. Specifically, the local admin account not having a secure token, instead, the user has the secure token. I'm having to pull these machines back for a fresh OS install just to get FV enabled because the secure token holder can't give the local admin account a token even if promoted to local admin. The local password reset and keychain problems I don't want to think about anymore. It's kind of a mess.