Posted on 06-06-2017 12:36 PM
You had me at "Lock Screen"
Posted on 07-11-2017 08:50 AM
@bearzooka In case you'd already filed a bug report with Apple, I'd reference your case number with mine. (However, we're moving away from AD binding.)
Posted on 07-11-2017 11:00 AM
Hi,
Are people still seeing the AD bind issue with the latest release (out yesterday, 17A306f)? Gonna try here in a bit, but just curious if it changed anything for anyone.
Thanks,
Matt
Posted on 07-11-2017 11:11 AM
Beta 3 release notes:
"Known Issues in macOS High Sierra 10.13 beta
The following are known to exist in this release.
Active Directory
Posted on 07-17-2017 10:36 AM
@here I have a question in reference to the the release name of the high sierra when it is released. I am trying to get ahead of the game and apply the restricted software block through JAMF while we test to make sure everything work in our environment. Our employees are day one adopters and i want to avoid problems.
Posted on 07-24-2017 04:49 AM
if someone is going to update to High Sierra, don't forget to prepare your Mac before - https://nektony.com/blog/how-to-prepare-your-mac-for-macos-high-sierra-update
Posted on 07-30-2017 10:01 PM
It might be interesting to use native virtualization for macOS to create Hi Sierra lab environments for testing all sorts of things - imaging etc.
https://veertu.com/beta-high-sierra-environment-in-an-isolated-vm/
Posted on 08-02-2017 02:54 PM
Has anyone experienced issues with system extension blocking (http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/) breaking VMWare, AV or other enterprise products? We did a test and VMWare and our AV does not work without IT telling the user to specifically allow the software to load kernel extensions in System Settings. That might be okay for VMWare, but we'd rather not give users the option to run AV. We're looking for a solution to deploy our enterprise software at scale without physically touching each individual endpoint to add the team ID with the spctl kext-consent command in recovery mode. Anyone else worried about this?
Posted on 08-03-2017 09:26 AM
@dmeehan Lots of folks are worried about this. Apple has been trying to point developers away from using Kernel Extensions for some time, though.
Their note on Enterprise App Distribution is hilarious, as if that process is feasible in any enterprise environment.
There's not a magical workaround for this that I'm aware of.
Best to get with your vendors and query about their plans for a compatible agent for this release that invalidates the need to perform those steps. See this post.
Posted on 08-03-2017 10:48 AM
I am seeing issue with blocking the password hint at the FV login window and the loginwindow text too.
Anybody else? I have opened tickets in the seed program.
C
Posted on 08-04-2017 05:18 PM
When I downloaded the 10.13. B1 version it did not update the FS to APFS, so not much different than before, other than a few nice features like the lock screen. How did you all get the APFS to perform the update to use the full extent of this new FS?
Hoping JAMF will be doing some nifty scripts and the such to allow us to lock a computer without losing the ability to see it and its associated IP for tracking purposes.
Posted on 08-05-2017 01:43 AM
Apple limited the developer and public betas to only offer to upgrade to APFS on solid state drives, the 10.13 beta installs would give the choice when installing.
Posted on 08-07-2017 02:15 PM
So far, as of beta 4 I haven't had to change any of my enrollment process or policies. Testing the beta 5 right now. We only have SSD "drives" so no issues there.
C
Posted on 08-07-2017 04:28 PM
So, since I'm only commenting on items that have gotten public attention and/or 3rd party products, I'm pretty sure I'm good with NDA.
Re: Lock Screen
The Keychain Access application no longer contains the keychain.menu menu extra. This is irrelevant, given the Apple Menu item.
This is a good and remarkable thing since we no longer need to create a policy or profile to provide this functionality to our users.
Other Items I've found...
Canon printer drivers
If you have to install Canon printer drivers, note that the packages Canon issued last year have an OS version check built into the package that will cause the installation to fail where OS = 10.13. I have also gotten reports of functionality issues that I'm still waiting for confirmation test data on.
Symantec Endpoint Protection
The extant version fails to install. I have an issue open with Symantec.
General advice...
Contrary to some sysadmins' opinions, it is not Apple's job to comply with the 3rd-party developer, rather it's the other way around.
Lean hard on your vendors and internal developers to...
participate in the Apple Developer Program
follow Apple best practices and development guidelines
deliver compatible and Apple best practice and guideline-compliant software before the OS is released
I tell my devs & vendors that zero-day support is considered late. I want to see a guaranteed compatible/supported release within 48 hours of Apple's GM/release candidate going public, and preferably a beta before then.
Posted on 08-07-2017 04:37 PM
We are on a roll @milesleacy
General advice... Contrary to some sysadmins' opinions, it is not Apple's job to comply with the 3rd-party developer, rather it's the other way around. Lean hard on your vendors and internal developers to... participate in the Apple Developer Program follow Apple best practices and development guidelines deliver compatible and Apple best practice and guideline-compliant software before the OS is released I tell my devs & vendors that zero-day support is considered late. I want to see a guaranteed compatible/supported release within 48 hours of Apple's GM/release candidate going public, and preferably a beta before then.
X 1,000
We enable vendors bad behavior, and it needs to stop. We have to educate our organization if they want to support Apple they have to play by Apple rules and Apple timelines and only support vendors (like Jamf) that do.
My sound bite is, We all have to move at Apple speed, not "insert your crapy vendor here" speed.
C
Posted on 08-07-2017 05:09 PM
Oh how times have changed, where it was considered rude to call out non cooperative third party vendors, and now Apple/Jamf encourage tightening the screws. :)
Posted on 08-09-2017 07:47 AM
May I quote you, @gachowski ?
My sound bite is, We all have to move at Apple speed, not "insert your crapy vendor here" speed.
Posted on 08-09-2017 08:54 AM
: )
Posted on 08-10-2017 04:45 AM
For those of you who have installed High Sierra and converted your boot drive to APFS, I have a few questions:
Posted on 08-10-2017 05:58 AM
@AVmcclint ...
1. About 30 minutes to install High Sierra, another 30 minutes to convert HFS+ to APFS for a 1 TB SSD in a MacBook Pro (15", Late 2011).
2. The APFS conversion happens after the first restart during the install process, so you are sitting with the grey apple screen, a progress bar, with some small text at the bottom giving an estimated time of completion, and an indication as to whether it is upgrading the OS or converting HFS+ to APFS.
3. Haven't used FileVault, thinking about changing that after High Sierra gets released.
As I understand it upgrading HDD's to APFS is not currently supported in the beta OS installers (they only provide the option to upgrade to APFS for SSD's), but should be by the time High Sierra is released. I believe the longer time it would take to upgrade a HDD, versus the need to help developers get up and running testing their apps on the newer OS, to be the reason for this.
Posted on 08-10-2017 06:42 AM
@wakco Was this a clean install or was it an upgrade from Sierra? Waiting for the drive to convert to APFS might be a major obstacle for us to minimize downtime when doing upgrades. I guess there's still plenty of time before it hits the streets as a gold release, and then I'll most likely wait until 10.13.2 before I start to dig in with my own testing of the upgrade and app compatibility. Thanks for the input.
Posted on 08-10-2017 11:43 AM
@AVmcclint upgrade, I expect a clean install wouldn’t need any time for APFS conversion. Also the install process does ask if you want the APFS conversion performed, and doesn’t assume it.
Posted on 08-14-2017 07:35 AM
I installed the 10.13 high sierra beta (17A330h) on a test 2015 MBPro that was running macOS Sierra 10.12 (this computer had no connection to being enrolled in the Casper system, it was totally separate).
the computer has 3 accounts and after the 10.13 beta completed installation I am only able to login with the account that was used to install the beta. I go into system preferences, users & groups and do not have the option to 'reset' the password on the other 2 accounts.
has anyone else encounter this issue?
in 10.12 i am able to choose a different user account and i get the 'reset password' option, in 10.13 i don't get this option to 'reset password' on other accounts.
disk utility shows the volume is AFPS !! I did not have to choose this during the install process, i just walked away and let the installation do its stuff.
Posted on 08-17-2017 07:30 AM
I had issues with the computer hanging after being bound to AD previously. So I downloaded Beta 6 and it doesn't hang anymore, but I cannot login with mobile accounts. I get the following error:
I also noticed my drive was converted to APFS after getting the prompt to upgrade in the previous beta. It looks like it's no longer an option.
Posted on 08-17-2017 11:37 AM
Confirming @PhillyPhoto's comment on the APFS conversion - with Beta 6 it's automatic, at least on SSD based machines (I don't have any spindle systems testing High Sierra)
Posted on 08-22-2017 10:06 AM
All,
I just saw this update from Apple regarding this issue (SKEL): https://support.apple.com/en-us/HT208019. It sounds like MDM is the answer. Does that mean with Casper we can manage our devices using MDM to avoid the kextpocalypse (blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/) issue?
Posted on 08-22-2017 10:38 AM
@dmeehan it sounds like maybe just having the MDM profile is enough, I don't think there will be a new SKEL payload. That will be a huge time relief if that's all it takes.
Posted on 08-27-2017 11:56 PM
Please check below discussion for more details around SKEL:
https://www.jamf.com/jamf-nation/discussions/25163/how-to-install-kext-using-jss-on-high-sierra
Thanks
Posted on 09-14-2017 07:36 AM
Is anyone having an issue logging into a 10.13 beta 9 machine with a domain account ? My 10.13 Mac is bound to our AD but we noticed that we cannot login using an account that has a home drive mapped in AD, remove the mapping and the account logs in fine.
Getting the same screen as @PhillyPhoto
Thanks
Posted on 09-19-2017 10:27 AM
I feared I was the only one having issues to log in with AD accounts, but I see that this persists in beta 9.
Has anyone with a GM version tried to bind to AD and log in as network users?
Also, I tried to use
sudo dscl . delete /Users/olduser
to delete a local account and I get a
DS Error: -14120 (eDSPermissionError)
that I wasn't getting on 10.12
Might it be that SIP now blocks this command from deleting user accounts?
Posted on 09-19-2017 02:50 PM
Do you have Read/Write permissions on the folder on your Home Drive Server? Windows and AD will map it to anything and bypass those permissions even if you don't have ACTUAL rights on the folder.
To fix this, give your user account permission on your Home Server here (Modify, List, Read):
Posted on 09-29-2017 07:30 AM
Hi, @jconte @PhillyPhoto @Aziz i am also having same error message while login to AD using standard ver. have correct writes.
SYS Logs while login in:
Sep 29 00:08:44 skullmac kcm[2464]: DEPRECATED USE in libdispatch client: Setting timer interval to 0 requests a 1ns timer, did you mean FOREVER (a one-shot timer)?
Sep 29 00:08:45 skullmac authorizationhost[2438]: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://USDEF-KT0055/SKULL5%%22, homedir=/home/skull5, name=skull5 ) returned 2
any update about this ?
Posted on 09-29-2017 08:00 AM
Do you have a special character as the last in the path for your home drives ?
Here is what I saw in my situation :
Sep 15 13:40:55 L-AC0256 authorizationhost[3548]: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://NJHomeDrive/X23556%%24, homedir=/home/x23556, name=x23556 ) returned 2
The $ is incorrectly translated to "%%24" in 10.13. You can also see the "%%24" in the HomeDirectory attribute in Directory Editor for affected accounts in 10.13.
For me, unchecking the UNC box allows us to login and complete our testing, we will still wait for an official fix from Apple as we opened a ticket for this issue. Enterprise Connect maps the drive so we get the mapping that way in a pinch.
Posted on 09-29-2017 09:04 AM
We have been disabling UNC path for home drives for many years now. The OS just can't handle it when the mapping doesn't work. Not being able to log in is an absolutely abysmal response for something so minor.
Posted on 10-05-2017 11:29 AM
@jconte & @alexjdale, this fixed my issue after unchecking "use UNC path" in our directory binding in the JSS. We have Enterprise Connect, so we can connect home drives through that. Thanks for the info!
Posted on 10-05-2017 11:59 AM
@PhillyPhoto we have the same setup as you do, we don't have issues with mapping network drives; but as you may already know the issue is when the user tries to change their AD password, even using the Enterprise Connect App it doesn't work (rumor is the next patch will fix that "10.13.1")
I'm just wondering if you are having the same password issue.
thanks.
Posted on 10-09-2017 03:51 AM
Hi @jconte We are facing similar issues here. Exactly same error message. Did you find something around it?
Hi @osxadmin
For us its not about changing the password but we get during logging in. A user who is logging in for the first time on a Mac gets this. Have you tried deleting home folder and logging in as a new user?
We get on all Macs, for all users.
Thanks,
CS
Posted on 10-09-2017 05:37 AM
@osxadmin Thankfully we don't have a big user base on our AD bound side that likes the latest and greatest right away, so I'm the only one testing 10.13 at the moment. So I can't report any issues with passwords as of yet though.
Posted on 10-09-2017 06:10 AM
macOS doesn't gracefully handle issues with the home directory; it just fails the login. Our Windows estate has a different mechanism in place for mapping user shares, so the homeDirectory attribute SHOULD be blank in our case. Some users tested using that field a long time ago and it wasn't cleared, and one of our configs for binding checked the box to mount that share. Seems to handle a blank attribute fine, but if there's a bad path (or one you don't have permissions to), the login just seems to fail without much of a helpful indication as to why.
Edit: meant to say this has been true since before High Sierra.
Posted on 10-09-2017 06:24 AM
@cindySingh unfortunately I can't do that in our enviroment with our users (deleting home folder and logging in as a new user), all of our mac users "don't have time" for us, so what I've done is block the upgrade in our enviroment until Apple releases the patch/fix.
Thanks.
Posted on 10-31-2017 01:18 PM
Well, it seems that today's update to 10.13.1 fixed the UNC path issue and now I am able to bind the machine as expected (with network home locations) without a problem.
One less thing to worry about!