Open Directory - Force Network Accounts to be Mobile Accounts

rjeffers
New Contributor

I'm trying to find out if it is possible to use Casper to force an Open Directory network account user to log in with a mobile account. We currently use Casper to bind the computers to Open Directory, but I can't find any settings having to do with mobile accounts.

Thank you for any assistance you can provide.

1 ACCEPTED SOLUTION

jonmacguru
New Contributor II

Since this option is typically managed from within OD, here is what we have done to enable "mobile accounts" for users on a new OD deployment.

First, Apple's method is to use a mobileconfig profile along with Profile Manager as part of OS X Server, and this will work, but since we are using the JSS to do our mdm, we decided to leave the JSS out of the equation and just enable Mobile Accounts for one of the OD groups. If you do this, then any user that is in that group will be prompted to create a Mobile User Account when the log in to a Mac that is bound to OD.

You have 2 options to setup the Mobile Account preferences within an OD Group. You can use Workgroup Manager (as long as you copy it to any 10.10 or 10.11 server, since you can't install it as Apple's installer will complain. So install it on 10.9 and copy it to your newer server). Or you can use Directory Utility to add the MCXplist entries.

If you use Workgroup Manager, just select the Group, then click Preferences (the prefs icon in the top icon bar), and you will see all of the icons in the Overview pane. Click on "Mobility", and turn on the options you think you will need (you can see ours in the pictures below). Then save those settings and you are done.

If you use Directory Utility, do the following.

  1. Open Directory Utility, select the node /LDAPv3/127.0.0.1
  2. Select Viewing of "Groups"
  3. Select your Group
  4. Click the Plus button to Add the Attribute (MCXFlags), and paste in the first xml info below.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>has_mcx_settings</key>
     <true/>
</dict>
</plist>
  1. Then add a 2nd attribute (MCXSettings) and paste in the xml below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>mcx_application_data</key>
     <dict>
          <key>com.apple.MCX</key>
          <dict>
               <key>Forced</key>
               <array>
                    <dict>
                         <key>mcx_preference_settings</key>
                         <dict>
                              <key>cachedaccounts.WarnOnCreate.allowNever</key>
                              <true/>
                              <key>com.apple.cachedaccounts.CreateAtLogin</key>
                              <true/>
                              <key>com.apple.cachedaccounts.CreatePHDAtLogin</key>
                              <false/>
                              <key>com.apple.cachedaccounts.WarnOnCreate</key>
                              <true/>
                         </dict>
                    </dict>
               </array>
          </dict>
     </dict>
</dict>
</plist>

6. Save it and restart OD.. Now Mobile Users are enabled for that OD Group.41c813b98b1c4bb89684928db9c71f73
df665024c4164fa1b0dcaf28d2fd9116
a4c6de21489742d798717f720ade9cff

View solution in original post

2 REPLIES 2

jonmacguru
New Contributor II

Since this option is typically managed from within OD, here is what we have done to enable "mobile accounts" for users on a new OD deployment.

First, Apple's method is to use a mobileconfig profile along with Profile Manager as part of OS X Server, and this will work, but since we are using the JSS to do our mdm, we decided to leave the JSS out of the equation and just enable Mobile Accounts for one of the OD groups. If you do this, then any user that is in that group will be prompted to create a Mobile User Account when the log in to a Mac that is bound to OD.

You have 2 options to setup the Mobile Account preferences within an OD Group. You can use Workgroup Manager (as long as you copy it to any 10.10 or 10.11 server, since you can't install it as Apple's installer will complain. So install it on 10.9 and copy it to your newer server). Or you can use Directory Utility to add the MCXplist entries.

If you use Workgroup Manager, just select the Group, then click Preferences (the prefs icon in the top icon bar), and you will see all of the icons in the Overview pane. Click on "Mobility", and turn on the options you think you will need (you can see ours in the pictures below). Then save those settings and you are done.

If you use Directory Utility, do the following.

  1. Open Directory Utility, select the node /LDAPv3/127.0.0.1
  2. Select Viewing of "Groups"
  3. Select your Group
  4. Click the Plus button to Add the Attribute (MCXFlags), and paste in the first xml info below.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>has_mcx_settings</key>
     <true/>
</dict>
</plist>
  1. Then add a 2nd attribute (MCXSettings) and paste in the xml below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>mcx_application_data</key>
     <dict>
          <key>com.apple.MCX</key>
          <dict>
               <key>Forced</key>
               <array>
                    <dict>
                         <key>mcx_preference_settings</key>
                         <dict>
                              <key>cachedaccounts.WarnOnCreate.allowNever</key>
                              <true/>
                              <key>com.apple.cachedaccounts.CreateAtLogin</key>
                              <true/>
                              <key>com.apple.cachedaccounts.CreatePHDAtLogin</key>
                              <false/>
                              <key>com.apple.cachedaccounts.WarnOnCreate</key>
                              <true/>
                         </dict>
                    </dict>
               </array>
          </dict>
     </dict>
</dict>
</plist>

6. Save it and restart OD.. Now Mobile Users are enabled for that OD Group.41c813b98b1c4bb89684928db9c71f73
df665024c4164fa1b0dcaf28d2fd9116
a4c6de21489742d798717f720ade9cff

rjeffers
New Contributor

Wow! Thanks for all the info! I think we'll be using Workgroup Manager. It's unfortunate that Apple seems to be doing away with Workgroup Manager, even though it still seems like the best option for some issues.