Help

Onboarding Flow, Non-Domain Bound macOS Machines

derek_ritchison
Contributor

Posted on ‎02-11-2019 12:24 PM

Hey there. Interesting predicament, and just wondering if anyone else has experienced this and how you managed a workaround.

We have a RADIUS network that we encourage all users to log into using their OneLogin/AD credentials. However, we do not domain-join our macOS machines, therefore their OneLogin/AD password isn't reset until after they log into their MacBook, navigate to OneLogin, enter their first time "onboarding password," and are then prompted to reset it. Obviously they cannot do this from the RADIUS network, so all first time users are temporarily on a simple password protected WPA2 network. However, this just adds another unnecessary (and confusing) step for new employees on their first day --- "forget" the WPA2 network and sign into the RADIUS network with their new OneLogin/AD password.

Annoying, right? Anyone else experience this less-than-ideal flow before? Anyone have any brilliant solutions or workarounds?

0 Kudos
2 REPLIES 2

daniel_ross
Contributor III

Posted on ‎02-13-2019 03:11 PM

So it looks like I'm not the only one wanting to get around this issue as well!

Would love to know this as we are similarly setup however with Okta as our IDP and then to on Prem AD for RADIUS.

Hoping to hear some ideas or tricks others use for this.

cainehorr
Contributor III

Posted on ‎12-18-2019 01:10 PM

I'm doing something similar at Okta...

  • My newly deployed devices get [manually] connected to a local guest network.
  • DEP kicks off
  • LDAP auths the user
  • Jamf places the Radius MobileConfig on the device via PreStage Configuration Profiles
  • DEPNotify kicks off on the desktop and does it's thing
  • The last thing DEPNotify does prior to Reboot/FV2 is call to a custom trigger that runs this script...
#!/bin/bash

# Remove_Guest_WiFi.sh
# Written by Caine Hörr
# Written on 2019-12-11

# Modify this to meet your needs
Guest_WiFi_SSID="Guest WiFi"

# NO USER SERVICEABLE PARTS BELOW THIS LINE

# Automatically determine the WiFi Interface (ie en0)
NetworkPort=$(/usr/sbin/networksetup -listallhardwareports | /usr/bin/grep -A 1 Wi-Fi | /usr/bin/grep Device | /usr/bin/cut -d' ' -f2)
echo "Network Interface: ${NetworkPort}"

Preferred_Network=$(networksetup -listpreferredwirelessnetworks "${NetworkPort}" | grep -i "${Guest_WiFi_SSID}" | awk '{ $1=$1 };1')

if [ "${Preferred_Network}" == "${Guest_WiFi_SSID}" ]; then
    networksetup -removepreferredwirelessnetwork "${NetworkPort}" "${Preferred_Network}"
fi

exit 0

The device reboots and now the only WiFi SSID available is the Radius WiFi.

The end user never has to think about which WiFi SSID they are connected to.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

0 Kudos