Jamf Nation Community

Hi,
Are people still seeing the AD bind issue with the latest release (out yesterday, 17A306f)? Gonna try here in a bit, but just curious if it changed anything for anyone.

Thanks,
Matt

Beta 3 release notes:

"Known Issues in macOS High Sierra 10.13 beta

The following are known to exist in this release.
Active Directory

• Clients bound to an Active Directory domain may currently hang at boot."

@here I have a question in reference to the the release name of the high sierra when it is released. I am trying to get ahead of the game and apply the restricted software block through JAMF while we test to make sure everything work in our environment. Our employees are day one adopters and i want to avoid problems.

if someone is going to update to High Sierra, don't forget to prepare your Mac before - https://nektony.com/blog/how-to-prepare-your-mac-for-macos-high-sierra-update

It might be interesting to use native virtualization for macOS to create Hi Sierra lab environments for testing all sorts of things - imaging etc.

https://veertu.com/beta-high-sierra-environment-in-an-isolated-vm/

Has anyone experienced issues with system extension blocking (http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/) breaking VMWare, AV or other enterprise products? We did a test and VMWare and our AV does not work without IT telling the user to specifically allow the software to load kernel extensions in System Settings. That might be okay for VMWare, but we'd rather not give users the option to run AV. We're looking for a solution to deploy our enterprise software at scale without physically touching each individual endpoint to add the team ID with the spctl kext-consent command in recovery mode. Anyone else worried about this?

@dmeehan Lots of folks are worried about this. Apple has been trying to point developers away from using Kernel Extensions for some time, though.

Their note on Enterprise App Distribution is hilarious, as if that process is feasible in any enterprise environment.

There's not a magical workaround for this that I'm aware of.

Best to get with your vendors and query about their plans for a compatible agent for this release that invalidates the need to perform those steps. See this post.

I am seeing issue with blocking the password hint at the FV login window and the loginwindow text too.

Anybody else? I have opened tickets in the seed program.

C

When I downloaded the 10.13. B1 version it did not update the FS to APFS, so not much different than before, other than a few nice features like the lock screen. How did you all get the APFS to perform the update to use the full extent of this new FS?

Hoping JAMF will be doing some nifty scripts and the such to allow us to lock a computer without losing the ability to see it and its associated IP for tracking purposes.

Apple limited the developer and public betas to only offer to upgrade to APFS on solid state drives, the 10.13 beta installs would give the choice when installing.

So far, as of beta 4 I haven't had to change any of my enrollment process or policies. Testing the beta 5 right now. We only have SSD "drives" so no issues there.

C

So, since I'm only commenting on items that have gotten public attention and/or 3rd party products, I'm pretty sure I'm good with NDA.

Re: Lock Screen
The Keychain Access application no longer contains the keychain.menu menu extra. This is irrelevant, given the Apple Menu item.
This is a good and remarkable thing since we no longer need to create a policy or profile to provide this functionality to our users.

Other Items I've found...

Canon printer drivers
If you have to install Canon printer drivers, note that the packages Canon issued last year have an OS version check built into the package that will cause the installation to fail where OS = 10.13. I have also gotten reports of functionality issues that I'm still waiting for confirmation test data on.

Symantec Endpoint Protection
The extant version fails to install. I have an issue open with Symantec.

General advice...
Contrary to some sysadmins' opinions, it is not Apple's job to comply with the 3rd-party developer, rather it's the other way around.

Lean hard on your vendors and internal developers to...
participate in the Apple Developer Program
follow Apple best practices and development guidelines
deliver compatible and Apple best practice and guideline-compliant software before the OS is released

I tell my devs & vendors that zero-day support is considered late. I want to see a guaranteed compatible/supported release within 48 hours of Apple's GM/release candidate going public, and preferably a beta before then.

We are on a roll @milesleacy

General advice... Contrary to some sysadmins' opinions, it is not Apple's job to comply with the 3rd-party developer, rather it's the other way around. Lean hard on your vendors and internal developers to... participate in the Apple Developer Program follow Apple best practices and development guidelines deliver compatible and Apple best practice and guideline-compliant software before the OS is released I tell my devs & vendors that zero-day support is considered late. I want to see a guaranteed compatible/supported release within 48 hours of Apple's GM/release candidate going public, and preferably a beta before then.

X 1,000

We enable vendors bad behavior, and it needs to stop. We have to educate our organization if they want to support Apple they have to play by Apple rules and Apple timelines and only support vendors (like Jamf) that do.

My sound bite is, We all have to move at Apple speed, not "insert your crapy vendor here" speed.

C

Oh how times have changed, where it was considered rude to call out non cooperative third party vendors, and now Apple/Jamf encourage tightening the screws. :)

May I quote you, @gachowski ?

My sound bite is, We all have to move at Apple speed, not "insert your crapy vendor here" speed.

: )

For those of you who have installed High Sierra and converted your boot drive to APFS, I have a few questions:

1. How long did it take to complete the conversion from HFS+ to APFS? a. SSD? b. spinning platter HDD?
2. Was the computer usable during the conversion or did you have to stare at a "please wait..." screen for the duration?
3. Same questions as above but with an already encrypted FileVault drive.

@AVmcclint ...
1. About 30 minutes to install High Sierra, another 30 minutes to convert HFS+ to APFS for a 1 TB SSD in a MacBook Pro (15", Late 2011).
2. The APFS conversion happens after the first restart during the install process, so you are sitting with the grey apple screen, a progress bar, with some small text at the bottom giving an estimated time of completion, and an indication as to whether it is upgrading the OS or converting HFS+ to APFS.
3. Haven't used FileVault, thinking about changing that after High Sierra gets released.

As I understand it upgrading HDD's to APFS is not currently supported in the beta OS installers (they only provide the option to upgrade to APFS for SSD's), but should be by the time High Sierra is released. I believe the longer time it would take to upgrade a HDD, versus the need to help developers get up and running testing their apps on the newer OS, to be the reason for this.

@wakco Was this a clean install or was it an upgrade from Sierra? Waiting for the drive to convert to APFS might be a major obstacle for us to minimize downtime when doing upgrades. I guess there's still plenty of time before it hits the streets as a gold release, and then I'll most likely wait until 10.13.2 before I start to dig in with my own testing of the upgrade and app compatibility. Thanks for the input.

@AVmcclint upgrade, I expect a clean install wouldn’t need any time for APFS conversion. Also the install process does ask if you want the APFS conversion performed, and doesn’t assume it.

I installed the 10.13 high sierra beta (17A330h) on a test 2015 MBPro that was running macOS Sierra 10.12 (this computer had no connection to being enrolled in the Casper system, it was totally separate).

the computer has 3 accounts and after the 10.13 beta completed installation I am only able to login with the account that was used to install the beta. I go into system preferences, users & groups and do not have the option to 'reset' the password on the other 2 accounts.

has anyone else encounter this issue?

in 10.12 i am able to choose a different user account and i get the 'reset password' option, in 10.13 i don't get this option to 'reset password' on other accounts.

disk utility shows the volume is AFPS !! I did not have to choose this during the install process, i just walked away and let the installation do its stuff.

I had issues with the computer hanging after being bound to AD previously. So I downloaded Beta 6 and it doesn't hang anymore, but I cannot login with mobile accounts. I get the following error:

I also noticed my drive was converted to APFS after getting the prompt to upgrade in the previous beta. It looks like it's no longer an option.

Confirming @PhillyPhoto's comment on the APFS conversion - with Beta 6 it's automatic, at least on SSD based machines (I don't have any spindle systems testing High Sierra)

All,

I just saw this update from Apple regarding this issue (SKEL): https://support.apple.com/en-us/HT208019. It sounds like MDM is the answer. Does that mean with Casper we can manage our devices using MDM to avoid the kextpocalypse (blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/) issue?

@dmeehan it sounds like maybe just having the MDM profile is enough, I don't think there will be a new SKEL payload. That will be a huge time relief if that's all it takes.

Please check below discussion for more details around SKEL:
https://www.jamf.com/jamf-nation/discussions/25163/how-to-install-kext-using-jss-on-high-sierra

Thanks

Is anyone having an issue logging into a 10.13 beta 9 machine with a domain account ? My 10.13 Mac is bound to our AD but we noticed that we cannot login using an account that has a home drive mapped in AD, remove the mapping and the account logs in fine.

Getting the same screen as @PhillyPhoto

Thanks

I feared I was the only one having issues to log in with AD accounts, but I see that this persists in beta 9.
Has anyone with a GM version tried to bind to AD and log in as network users?

Also, I tried to use

sudo dscl . delete /Users/olduser

to delete a local account and I get a

DS Error: -14120 (eDSPermissionError)

that I wasn't getting on 10.12

Might it be that SIP now blocks this command from deleting user accounts?

@jconte @PhillyPhoto

Do you have Read/Write permissions on the folder on your Home Drive Server? Windows and AD will map it to anything and bypass those permissions even if you don't have ACTUAL rights on the folder.

To fix this, give your user account permission on your Home Server here (Modify, List, Read):

Hi, @jconte @PhillyPhoto @Aziz i am also having same error message while login to AD using standard ver. have correct writes.

SYS Logs while login in:
Sep 29 00:08:44 skullmac kcm[2464]: DEPRECATED USE in libdispatch client: Setting timer interval to 0 requests a 1ns timer, did you mean FOREVER (a one-shot timer)?
Sep 29 00:08:45 skullmac authorizationhost[2438]: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://USDEF-KT0055/SKULL5%%22, homedir=/home/skull5, name=skull5 ) returned 2

any update about this ?

Do you have a special character as the last in the path for your home drives ?

Here is what I saw in my situation :

Sep 15 13:40:55 L-AC0256 authorizationhost[3548]: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://NJHomeDrive/X23556%%24, homedir=/home/x23556, name=x23556 ) returned 2

The $ is incorrectly translated to "%%24" in 10.13. You can also see the "%%24" in the HomeDirectory attribute in Directory Editor for affected accounts in 10.13.

For me, unchecking the UNC box allows us to login and complete our testing, we will still wait for an official fix from Apple as we opened a ticket for this issue. Enterprise Connect maps the drive so we get the mapping that way in a pinch.

We have been disabling UNC path for home drives for many years now. The OS just can't handle it when the mapping doesn't work. Not being able to log in is an absolutely abysmal response for something so minor.

@jconte & @alexjdale, this fixed my issue after unchecking "use UNC path" in our directory binding in the JSS. We have Enterprise Connect, so we can connect home drives through that. Thanks for the info!

@PhillyPhoto we have the same setup as you do, we don't have issues with mapping network drives; but as you may already know the issue is when the user tries to change their AD password, even using the Enterprise Connect App it doesn't work (rumor is the next patch will fix that "10.13.1")

I'm just wondering if you are having the same password issue.

thanks.

Hi @jconte We are facing similar issues here. Exactly same error message. Did you find something around it?

Hi @osxadmin For us its not about changing the password but we get during logging in. A user who is logging in for the first time on a Mac gets this. Have you tried deleting home folder and logging in as a new user?
We get on all Macs, for all users.

Thanks,
CS

@osxadmin Thankfully we don't have a big user base on our AD bound side that likes the latest and greatest right away, so I'm the only one testing 10.13 at the moment. So I can't report any issues with passwords as of yet though.

macOS doesn't gracefully handle issues with the home directory; it just fails the login. Our Windows estate has a different mechanism in place for mapping user shares, so the homeDirectory attribute SHOULD be blank in our case. Some users tested using that field a long time ago and it wasn't cleared, and one of our configs for binding checked the box to mount that share. Seems to handle a blank attribute fine, but if there's a bad path (or one you don't have permissions to), the login just seems to fail without much of a helpful indication as to why.

Edit: meant to say this has been true since before High Sierra.

@cindySingh unfortunately I can't do that in our enviroment with our users (deleting home folder and logging in as a new user), all of our mac users "don't have time" for us, so what I've done is block the upgrade in our enviroment until Apple releases the patch/fix.

Thanks.

Well, it seems that today's update to 10.13.1 fixed the UNC path issue and now I am able to bind the machine as expected (with network home locations) without a problem.

One less thing to worry about!