MacBook Pros w/ Touchbar fail AD Binding

RedWings
Contributor

I'm experiencing something I've never seen before. When we image a MacBook Pro (late 2016) with TouchBar, they fail binding to AD 30-40% of the time. The OS X image contains all the latest Apple Software Updates.

We image by booting to an external HD and image using Casper Imaging on said boot drive that contains a local JSS mirror.

If we image ANY OTHER previous Mac, there are no issues whatsoever. Odd right?

Is anyone else seeing this?

6 REPLIES 6

chriscollins
Valued Contributor

We don't bind anymore but the only thing I can think of is if you are deploying 10.12.4 on these machines there is a bug that affects TBM randomly where the date gets set to the year 2040 after reboots and so the clock skew could be happening and causing AD to reject the binding attempt.

Sturner01
New Contributor

I second Chris, some of our Macs 2012-2015 both iMac and laptop were extremely sensitive to the skew. I pointed them to an external local gov time server to help reduce the drops and created a policy to bind, and rebind if necessary. I don't bind mac's anymore, jss binds them for me =) I think that rebind policy has been up for a year now? and I have only had 4 rebinds with 400 mac's in our org, 200 of which are laptops. As much as I have come to love apple, their time server (time.apple.com?) has caused me nothing but pain.

This setup helped immensely as we love to use kerberos here and were seeing a lot of expired ticket related errors.

FWIW, we use a thin image style for our mac's over thunderbolt for imaging. We install generic El Capitan from an unmodified installer if we want or need, then have the different packages install separately and run a config script for the system settings. No prebuilt or monolithic images (EWW!)

Sturner01
New Contributor

Minor correction/update:
We use El Capitan for the older mac's but for the touchbar we obviously retain Sierra as I don't think El Capitan would support the new hardware but haven't tried either. Currently we only have 2 of the touchbar mac's mine being one but I can say that I have had no issues other than the fingerprint reader does NOT renew your kerberos tickets. When waking from sleep the next day my first sign in has to be using the password or else I will have to manually go into the ticket manager and renew. I asked a apple engineer if they knew the PLIST or config files that control the new hardware as I have not looked for them yet but he was not currently familiar with how the touchbar worked in that regard. I assume if there is a plist file then we could modify it with a trigger to renew the kerb tickets or something.

seann
Contributor

What was said above. Make sure your date/time is being set correctly. There's a bug in the latest 10.12.4 update with touchbar Macbooks resetting the time to like the year 2040. I'd guess the best remedy for now is to have a temporary startup policy to manually sync the time.

ntpdate -u <server>

will accomplish this.

roiegat
Contributor III

I always run a script to check the time and date and make sure they are updated before binding to AD. I've found that some Macs even fresh from Apple are 10 minutes off from our AD server time...so they would fail. So wrote a script to tell the computer to use the time server and force and update.

Sturner01
New Contributor

Wouldn't the time auto adjust once you point it to a new time server? Guess its good I haven't updated to 10.12.4 yet ;)