MCX in 10.8 iMacs - not applying on first logon

New Contributor III

Hi all.

I've come across a problem having just updated our iMac lab to 10.8. I tried going down the Configuration profile path, but decided against it for the most part, as it didn't seem to work how we needed it.

So, I've stuck with Managed Preferences, but unfortunately it appears now that no MCX settings apply when a user logs in for the first time. I can fairly well confidently narrow it down to User-level MCX settings that are not applying on first login.

The users authenticate to AD, and all settings come across again on the next login, but it is a bit frustrating in a lab environment. If it makes any difference, the User Experience settings for the AD binding are:
Create mobile account at login - NO Require confirmation before creating a mobile account - NO
Force local home directory on startup disk - YES
Use UNC path from Active Directory to derive network home location - NO Network Protocol to be used: SMB
Default user shell: /bin/bash

Anybody know what would cause the failing mcx application?


Honored Contributor

I saw similar issues recently imaging 10.8 though I didn't think it was an MCX issue as I wasn't applying AD settings through MCX. For me, the AD settings came down as the default settings that Apple has, where we wanted to modify the settings. What I ended up doing was incorporating a script that sets the settings properly at the end of the first boot process (when other software is installed).

Here's the script I'm using:


# Filename:
# Author: Jared F. Nichols
# Purpose: Set AD plugin options after binding

# Enable mobile accounts
dsconfigad -mobile enable >> /var/log/jamf.log

# Disable mobile account creation confirmation
dsconfigad -mobileconfirm disable >> /var/log/jamf.log

# Force local home folder
dsconfigad -localhome enable >> /var/log/jamf.log

# Disable UNC network home paths
dsconfigad -useuncpath disable >> /var/log/jamf.log

# Add FMRCOFMRCODesktopAdmins to administrator group
dsconfigad -groups FMRCO\FMRCODesktopAdmins >> /var/log/jamf.log

# Allow authentication from any Domain in the Forest
dsconfigad -alldomains enable >> /var/log/jamf.log

# Allow packet signing
dsconfigad -packetsign allow >> /var/log/jamf.log

# Allow packet encryption
dsconfigad -packetencrypt allow >> /var/log/jamf.log

New Contributor III

Hi, thanks for that.

From what I can see, the AD settings are coming through OK to the machine, using the Directory Binding configuration in the JSS - Casper Admin tab.

I wasn't sure if there may have been a problem applying the MCX settings for the first time each individual user logs into the machine, because the AD settings I have force a local home drive. I.e - would there be any issue in applying the mcx as it is still creating the local folder at the users' first login?

Just to be clear in my process here, I've been doing the following steps"

  1. Image the computer, with the above mentioned Directory Binding Settings
  2. Login with "student1" account - no MCX applied
  3. Logout and log back in with "student1" account - MCX now correctly applied
  4. Logout and Login with "student2" account - no MCX applied
  5. Logout and log back in with "student2" account - MCX now correctly applied

My only thought is that there is some sort of hang up in creating the local account, but I can't see anything in the logs (not that I'm particularly sure what to look for here either).


Honored Contributor

I do run MCX applied by Casper and my machines are bound to AD during imaging. I've never seen an issue with MCXs applying, however I also have a reboot during the imaging process as I have some packages that install at first boot with the jamfHelper lockout screen. I wonder if you install a package or two with this option if it'll give the machine the opportunity to pull down the MCXs before an actual user logs in.


Valued Contributor II

For mcx on 10.8 I have started looking at Configuration profiles instead of mcx. Apple are moving away from mcx.

I tried mcx and found a lot of things failing or not working properly.

Best to take the plunge into Config profiles on a dev box.

Honored Contributor

Have taken the plunge on config profiles and found them to be woefully lacking. Want to use them, but the granularity of MCX just isn't there. I found them able to do about a quarter of what I'd need them to be capable of.

Hopefully in the next major OS it will be where I need it to be.

Valued Contributor II

I agree, config profiles aren't reliable yet.

For example my deny media access config profile to block all external media devices stopped working.

When denying media access when it did sort of work you could get around it by plugging in a usb, boot the machine and then it mounts!

Apple need to get their act together on this!

All I can say is thank god for mcxToprofile