Mobile, Managed Accounts broken in Mojave

gmendez
New Contributor II

We are preparing to deploy our JamfPro, but for now we are in a pure AD environment with Mac's bound to AD. This is our environment for the time being, and is what we must work with.

We ran into a problem with some users who have been given brand new MBP's running Mojave. When connected to the corporate network they work fine. But when not connected they are unable to login to their Mac. Even though they are set up with Mobile, Managed accounts. In our environment no users have Admin Rights, and that will not change. None of our users on High Sierra have this problem, so I'm beginning to think that is something new in Mojave.

Can anyone tell me if you've encountered this problem, and if so, how did you address it? Our last ditch resort, and we really don't want to have to go there, will be to downgrade all of our Mac's to High Sierra, and keep them there until this can be resolved.

Your constructive input is greatly appreciated.

Gene ...

7 REPLIES 7

jrwilcox
Contributor

We have not had issues with this although we are no longer using JAMF. We are bound to AD and and use mobile accounts. We have not updated our entire fleet but we have about 500 devices set up with Mojave.

kowsar_ahmed
Contributor

Hi,

Are the Macs in question encrypted? And have the users recently changed their passwords (since logging onto Mojave?) We are having issues on AD users once the users change pws the FileVault screen does not update. on the network, they can log in via the logon screen but cannot when off the network, something is not updating.

on terminal do:

sudo distil apfs updatePreboot /

This resolves most of them however some still don't work but they are all encrypted and we end up removing and re-adding the user to FileVault and that syncs everything up.

sudo fdesetup list -users
copy the username
fdesetup remove -user usernameofuser
fdesetup add -usertoadd usernameofuser
you'll get prompted to enter the username and password of a secure token administrator (local admin) and then get prompted to enter the users ad password (enter the latest one)
restart and that will fix.

gmendez
New Contributor II

@ kowsar.ahmed, thanks for the suggestions. We will give it a try. Also, the MBP's in question have File Vault turned off. I will post a progress update as soon as we can.

MBrownUoG
Contributor

Hey folks. Just to bump this thread as I'm running into the same problem here with Macbooks on Mojave.

AD logins work fine when on the network, but fail to cache when the user disconnects. I'm on Jamf 10.8 and have the usual Mobility policy set to create mobile accounts on login for Macbooks, but the functionality seems to have broken completely. The devices themselves are not encrypted at the moment, and the user I checked hadn't changed his password in months.

Has anybody else come across this?

lmeinecke
New Contributor III

The issue where AD account password changes are not syncing to the mobile/managed account is fixed in 10.14.4 (beta3). I filed a bug about it and yesterday was updated by Apple that they fixed it.

a_hebert
New Contributor III

We noticed it with an upgrade from 10.13 to 10.14. I did a test where i went from 10.12.6 to 10.14.2 and it didnt do it. I had a computer doing it and i did an recovery on it. Had 10.14 on it went to internet recovery and just reloaded 10.14.2 and the issue went away

MBrownUoG
Contributor

whoops posted response to Jamf support in here by mistake. Ignore this :)