I've come across a problem having just updated our iMac lab to 10.8. I tried going down the Configuration profile path, but decided against it for the most part, as it didn't seem to work how we needed it.
So, I've stuck with Managed Preferences, but unfortunately it appears now that no MCX settings apply when a user logs in for the first time. I can fairly well confidently narrow it down to User-level MCX settings that are not applying on first login.
The users authenticate to AD, and all settings come across again on the next login, but it is a bit frustrating in a lab environment. If it makes any difference, the User Experience settings for the AD binding are:
Create mobile account at login - NO Require confirmation before creating a mobile account - NO
Force local home directory on startup disk - YES
Use UNC path from Active Directory to derive network home location - NO Network Protocol to be used: SMB
Default user shell: /bin/bash
Anybody know what would cause the failing mcx application?
I saw similar issues recently imaging 10.8 though I didn't think it was an MCX issue as I wasn't applying AD settings through MCX. For me, the AD settings came down as the default settings that Apple has, where we wanted to modify the settings. What I ended up doing was incorporating a script that sets the settings properly at the end of the first boot process (when other software is installed).
Here's the script I'm using:
#!/bin/sh # Filename: ADsettings.sh # Author: Jared F. Nichols # Purpose: Set AD plugin options after binding # Enable mobile accounts dsconfigad -mobile enable >> /var/log/jamf.log # Disable mobile account creation confirmation dsconfigad -mobileconfirm disable >> /var/log/jamf.log # Force local home folder dsconfigad -localhome enable >> /var/log/jamf.log # Disable UNC network home paths dsconfigad -useuncpath disable >> /var/log/jamf.log # Add FMRCOFMRCODesktopAdmins to administrator group dsconfigad -groups FMRCO\FMRCODesktopAdmins >> /var/log/jamf.log # Allow authentication from any Domain in the Forest dsconfigad -alldomains enable >> /var/log/jamf.log # Allow packet signing dsconfigad -packetsign allow >> /var/log/jamf.log # Allow packet encryption dsconfigad -packetencrypt allow >> /var/log/jamf.log
Hi, thanks for that.
From what I can see, the AD settings are coming through OK to the machine, using the Directory Binding configuration in the JSS - Casper Admin tab.
I wasn't sure if there may have been a problem applying the MCX settings for the first time each individual user logs into the machine, because the AD settings I have force a local home drive. I.e - would there be any issue in applying the mcx as it is still creating the local folder at the users' first login?
Just to be clear in my process here, I've been doing the following steps"
My only thought is that there is some sort of hang up in creating the local account, but I can't see anything in the logs (not that I'm particularly sure what to look for here either).
I do run MCX applied by Casper and my machines are bound to AD during imaging. I've never seen an issue with MCXs applying, however I also have a reboot during the imaging process as I have some packages that install at first boot with the jamfHelper lockout screen. I wonder if you install a package or two with this option if it'll give the machine the opportunity to pull down the MCXs before an actual user logs in.
I agree, config profiles aren't reliable yet.
For example my deny media access config profile to block all external media devices stopped working.
When denying media access when it did sort of work you could get around it by plugging in a usb, boot the machine and then it mounts!
Apple need to get their act together on this!
All I can say is thank god for mcxToprofile