Help

Network user accounts AD on New MacBook Pro's

Go to solution
cbooker
New Contributor III

Posted on ‎02-02-2017 07:58 AM

We are in the testing phase of rolling out new Mac Hardware in particular the new MacBook Pro's 2017 model which only has USB Type C ports. I am able to join the MacBook Pro's to our AD domain but I was wondering if I am missing something when it comes to actually creating the network user accounts on the new MacBook Pro. Seeing as the computer needs to have a network connection to see the domain and authenticate to it but wireless does not work until you are logged into the computer.

In the past I would get around this by simply plugging in the ethernet cable. But the new MacBook Pro has no ethernet port. Do I need to purchase the USB-C to ethernet adapter or is there some other solution to this problem.

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
cbooker
New Contributor III

Posted on ‎02-09-2017 11:06 AM

I have been able to successfully get this to work now after a lot more research. Turns out the key ingredient that I was missing from my network config profile was the certificates. Make sure you add your AD network certificates to the payload of the config profile and mark them as trusted in the trust tab next to protocols. After I made this change I was able to login via wifi with a new user account without the network cable plugged in.

08acb3782add4f19899a72335572a8b3

View solution in original post

0 Kudos
Reply
11 REPLIES 11

Go to solution
mellamo
New Contributor

Posted on ‎02-02-2017 08:19 AM

For us, we ran into this same problem when we were domain joining MacBooks (Airs/Pros) that have no wired connection. We needed to have the Wifi connection available for the initial logon for the User. What we do is have a configuration profile that connects to our Enterprise Wifi with the machine Active Directory Account then switches over once the user logs in. This makes the wireless connection available to us before a user login.

0 Kudos
Reply

Go to solution
kendalljjohnson
Contributor II

Posted on ‎02-03-2017 08:51 AM

For the couple of 2016 MBPt's we have: we netboot to image, login to AD, and give our users the iClever USB-C ethernet and 3-port USB3 hub. Has worked well so far.

0 Kudos
Reply

Go to solution
osxadmin
Contributor II

Posted on ‎02-03-2017 09:12 AM

@mellamo could you please provide details on how your WIFI configuration profile is configured, I'm planning on implementing that in our company.

thank you in advance.

0 Kudos
Reply

Go to solution
cbooker
New Contributor III

Posted on ‎02-03-2017 10:11 AM

@mellamo Could you provide more detail on how your configuration profile is setup. I had no idea you could do that and login to Wifi with a machine AD account.

0 Kudos
Reply

Go to solution
RogerH
Contributor II

Posted on ‎02-03-2017 12:49 PM

@cbooker We are using the usb-c adapters as well.

0 Kudos
Reply

Go to solution
KSchroeder
Contributor

Posted on ‎02-04-2017 08:49 AM

You can see this article; it is a little outdated for Lion, but this is pretty close: https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

0 Kudos
Reply

Go to solution
osxadmin
Contributor II

Posted on ‎02-09-2017 06:42 AM

@mellamo Could you please provide details n how your WIFI configuration profile is configured, I'm really interested.

have a great day!

0 Kudos
Reply

Go to solution
cbooker
New Contributor III

Posted on ‎02-09-2017 11:06 AM

I have been able to successfully get this to work now after a lot more research. Turns out the key ingredient that I was missing from my network config profile was the certificates. Make sure you add your AD network certificates to the payload of the config profile and mark them as trusted in the trust tab next to protocols. After I made this change I was able to login via wifi with a new user account without the network cable plugged in.

08acb3782add4f19899a72335572a8b3

0 Kudos
Reply

Go to solution
KSchroeder
Contributor

Posted on ‎02-09-2017 11:51 AM

@cbooker I see you're using LEAP/PEAP; at the time your above profile is installing, is the machine then already bound to the domain? I'm assuming that would be required for the "Use Directory Authentication" bit to work, if this is installed as a Computer-level profile (but how did you bind then if you're not connected)? Or, does the connection use the users' credentials from their login to authenticate to the wireless (RADIUS?)?

0 Kudos
Reply

Go to solution
scentsy
Contributor

Posted on ‎02-09-2017 12:04 PM

@cbooker Thank you very much!

0 Kudos
Reply

Go to solution
cbooker
New Contributor III

Posted on ‎02-10-2017 10:27 AM

@KSchroeder Yes, the MacBook Pro is already bound to the domain. And you would need that first for the "Use Directory Authentication" to work. We don't have problems with binding to AD while connected and I don't mind doing that since it is a one time ordeal. But our laptops here get used by multiple users. And requiring each new laptop user to plug into the network to login for the first time became problem-matic. This makes my life a lot easier and makes things more seemless for the users.

0 Kudos
Reply