New JAMF roll out, multiple issues

jardoin1
New Contributor III

Hi all,

I'm looking for any tips at all on setting up mobility with AD integration. I'm seeing log-in times upwards of 2 minutes on machines. I've looked around for a "best practices" on setting up mobility with AD integration but I haven't found much. The setup is fairly small. We have 12 machines right now that should have mobility enabled, there is a single domain controller local to the site, the JSS is in a remote datacenter, and a synology diskstation is holding the 'profiles'. The synology never pings over 3MB on it's interface (it's capable of 120'ish MB) and the Macs are sitting at about 5MB of total transfer since I booted them, so I don't think its a congestion issue. All links are gig throughout. So ruling out throughput and ruling out IO constraints (the synology is pushing a fraction of what it is capable of with these drives), what else should I be looking at? I'm eyeballing the AD setup itself as a possible culprit, though the windows machines boot within 30-50 seconds with the same users who have redirected folders and roaming profiles. I'm mainly concerned that the JSS setup is hacky though. I haven't found a good 'best practices' guide for anything dealing with it.

Long winded, but I need some help. Been dealing with this in 10+ hour days all week. Thanks!

7 REPLIES 7

psliequ
Contributor III

You could turn on Open Directory logging and paste the results of a login session into the thread.
Depending on the client OS version follow http://support.apple.com/kb/HT4696 or http://support.apple.com/kb/HT3186

alexjdale
Valued Contributor III

Not sure what to tell you. I've read about this issue, and we use AD mobile accounts as well with ~7000 Macs and I haven't heard any reports of this.

However, I am not doing my AD binds through the JSS, it's done outside of that by one of our internal setup apps. What's your "dsconfigad -show" output? Feel free to scrub your domain name.

clifhirtle
Contributor II

@jardoin1 lots of moving parts when you're looking at login lags. I will just +1 @psliequ's comment on OD logging and recommend a couple tweaks that have helped us with mobile devices + wifi connectivity + directory-based auth:

  • Drop user share mount from login via "dsconfigad -sharepoint disable". This only applies to directories (like AD) that specify a SMBHome or HomeDirectory value in their user schema, but in our environment trying to connect to SMB AD shares only worked about 75% of the time, causing excessive lag on login as users waited for the timeout. We found an on-demand share mount on mount script on desktop worked better.
  • Switch from user to machine-based 802.1x auth. Keeps the Macs connected to wifi pre-login, removing the extra step of directory auth during the already busy user login. Lots of articles on this, but setup will be unique to each environment. Start with Apple's KB: http://support.apple.com/kb/HT5357 then cross-reference with Mike Boylan's excellent write-up for cert-based protocols: http://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/. This might take a while to get right, but well worth it in eliminating support calls for wifi connectivity drops whenever users change passwords or connections hiccup during login.
  • Test different Mobility profile settings, assume inconsistency, limit sync sizes when possible. Apple's Homesync option is notoriously wonky and your level of wonk is proportionate to the size and frequency of sync. In our environment, we've got users with large file sizes so all syncs are set to only occur manually, NOT on login/logout, and with folders that users specifically have to opt-in (versus the default all home folders setting). ~/Library syncs are particularly problematic, since files can be in-use when users are trying to sync. That's just asking for wonk. Friends don't let friends wonk home alone!

alexjdale
Valued Contributor III

I second the comment on dropping share mounting. We disabled that on the dsconfigad side as well as for most Mac users in AD since it never worked right and would lead to login issues.

If users really need a share, I would have them either just mount it as a favorite or via login script rather than have it happen automagically. It's one of those things that should work, but at the end of the day you just need to compromise in favor of keeping things running smooth and reliably.

jardoin1
New Contributor III

So as it turns out, this is actually the problem:

http://macmule.com/2013/10/30/updating-managed-settings-popup-at-login-window/

I'm taking steps now to mitigate. Thanks everybody!

bentoms
Release Candidate Programs Tester

@jardoin1, glad it helped.

Check @rtrouton's link script & search here for how to stop the prompt.

UCOJSSADMIN
New Contributor

@clifhirtle wonk. haha