Network user accounts AD on New MacBook Pro's

cbooker
New Contributor III

We are in the testing phase of rolling out new Mac Hardware in particular the new MacBook Pro's 2017 model which only has USB Type C ports. I am able to join the MacBook Pro's to our AD domain but I was wondering if I am missing something when it comes to actually creating the network user accounts on the new MacBook Pro. Seeing as the computer needs to have a network connection to see the domain and authenticate to it but wireless does not work until you are logged into the computer.

In the past I would get around this by simply plugging in the ethernet cable. But the new MacBook Pro has no ethernet port. Do I need to purchase the USB-C to ethernet adapter or is there some other solution to this problem.

1 ACCEPTED SOLUTION

navek
New Contributor III

You could also create a configuration profile for Wireless authentication and domain login. Make sure to put in all the important wireless configuration information. Check the boxes for "Use as a Login Window Configuration" and "Use Directory Authentication"
This requires that your wireless authentication and domain login use the same credentials.

This will allow your users to authenticate to the wireless network and then pass that information to domain authentication. This will allow for new users to connect and create their accounts on the machine without using a ethernet connection.

If the machine is setup with File Vault you would still need to unlock the drive with a local account first.

View solution in original post

4 REPLIES 4

duffcalifornia
Contributor

An ethernet adapter is needed, be it USB-C to ethernet, or a USB-C to USB adapter coupled with Apple's USB ethernet adapter.

mm2270
Legendary Contributor III

It sounds like you need to make your AD accounts into cached AD mobile accounts. With those in place, the account and password are cached locally and the user can log into the Mac when its not connected to the network. There are some caveats to be aware of with these, like that if the Mac is out of contact with the domain for too long (about 30 days by default) it can lose its domain join. There are also sometimes password sync issues to be aware of that can happen with them.
But overall, its the better option in most cases than strict network AD accounts.

Does that sound like something you'd be able to use in your environment?

navek
New Contributor III

You could also create a configuration profile for Wireless authentication and domain login. Make sure to put in all the important wireless configuration information. Check the boxes for "Use as a Login Window Configuration" and "Use Directory Authentication"
This requires that your wireless authentication and domain login use the same credentials.

This will allow your users to authenticate to the wireless network and then pass that information to domain authentication. This will allow for new users to connect and create their accounts on the machine without using a ethernet connection.

If the machine is setup with File Vault you would still need to unlock the drive with a local account first.

chris_miller
Contributor

We have AD login set up as part of enrollment with devices in DEP. It then auto-magically creates an admin mobile user with the AD credentials we just used. 60% of the time... it works every time. Seriously, though, it has worked really well. The machine is not bound by this process. That happens later.

Currently, the wifi issue is the same as yours. Looking to set up MDM on boarding in ClearPass or w/ an SSID that is restricted to JAMFPro FQDN.