Help

OS X 10.11 El Cap: Cannot create managed mobile accounts

dstranathan
Valued Contributor II

Posted on ‎12-09-2015 08:44 AM

I am unable create managed mobile accounts or login to OS X 10.11.x-based Macs using Managed Mobile accounts.

I have seen other posts regarding similar issues, but this appears to be failry new and specific to only 10.11 El Capitan. It is 100% reproducible in my test lab. Other fixes and worarounds mentioned in other similar posts do not resolve this issue.

I have seen this issue in both OS X10.11.1 and OS X 11.2

Fails for both logging in at the OS X Loginwindow GUI for the first time as well as from the createmanagedmobileaccount command.

AD is working fine. I can look up users and groups, traverse AD via the Directory Utility app and via the dscl commandline tool too.

I can log in locally via Terminal and SSH using AD credentials.

OS X refuses to create a local account and homedir in /Users for Managed Mobile accounts.

Error:

md15q119g7v:~ admin$ sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -v -n dds
createmobileaccount built Oct 23 2015 21:47:59
verbose output on.
user name = "dds"
home path = "(null)"
user password = "(null)"
prompt for password = FALSE
encrypt new home = FALSE
create as external account = TRUE
home sync new account = FALSE
effective home path = /Users/dds
2015-12-09 10:30:27.186 createmobileaccount[638:8324] MCXCCreateMobileAccount(): Failed to create account. Error = -6304 (mobile account file path is either not a directory or could not be properly created). Cleaning up mobile account record.
* mobile account could not be created: -6304 (MCXCCreateMobileAccount(): [newUser createHomeDirectory] failed)

Screenshots below:

GUI:

ff03fac220d440eea630cf97fefcd47d

CLI:

c24cafa3764d4915b06cfac3b929482f

0 Kudos
Reply
7 REPLIES 7

AVmcclint
Honored Contributor

Posted on ‎12-09-2015 09:57 AM

If I'm reading that correctly, you have to make sure that your users have home paths defined in Active Directory. Make sure it is in the form of server.domain.comusers ame (or however your particular server structure is configured). I've seen many times if you are only using the hostname and not a FQDN it will fail. And make sure that path exists BEFORE logging in on the Mac.

0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎12-09-2015 10:51 AM

Ruh Roo Raggy!

Deaktop team was knee-deep in imaging 10.11 today. I got called out of meetings and into the trenches.

I think I have created (and solved) my own problem. Love it when that happens.

Bottom line: Looks like my imaging workflow is broked in 10.11 El Cap.

I had a routine in DeployStudio (and in a JAMF test lab) that was replacing the Apple OEM User Template with my customized User Template package (a holdover from my old 2013 monolithic days actually - I know, I know...dont scold me. Mamma raised me better)

Anyway...The script was nuking the Apple User Template but not installing my custom User Template. So therefore no User Template existed at all. Oops. Thats no good...

All of this is of course, due to OS X 10.11 El Caps SIP (System Intregity Protection AKA "rootless mode").

Im not sure why my scripts/packages had permissions to delete a directory in /System/Library, but not write to the same directory. Need to look into that. End result was the Apple User Template went bye-bye.

I turned off SIP on a test Mac and everything worked. So I know its a 10.11 issue for sure. I re-enabled it back. I have no plans to run 10.11 El Cap in production without SIP (unless I find some darn compelling reasons from this community, etc)

I know Apple is encouraging us all to leave the User Template alone in favor of other, more dynamic management methods (Profiles, etc), but I kinda wanna keep my hot-rodded User Template around for a couple months as I get a grip on exactly what I need to tweak with JAMF. Im still not live with JAMF here yet. Still running DS, OD/MCX, etc. Need a bit more time to play with JAMF before I change all my paradigms.

How are you guys handling/leverging the User Template in 10.11? Is it really 100% hands-off at this point? Or are there ways to wedge the User Template into an OS X 10.11 image before the all-powerful SIP gods are woken?

0 Kudos
Reply

rtrouton
Release Candidate Programs Tester

Posted on ‎12-09-2015 11:19 AM

@dstranathan,

Just to make sure I'm understanding this, are you doing the following?

  1. Removing /System/Library/User Template
  2. Replacing it with your own /System/Library/User Template directory

Or are you doing the following?

  1. Removing /System/Library/User Template/English.lproj
  2. Replacing it with your own /System/Library/User Template/English.lproj directory
0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎12-09-2015 11:37 AM

@rtrouton I should have clarified.

Currently, I nuke the entire User Template folder and its contents. I replace it with a "curated" User Template that contains (2) subdirs:

-English.lproj
-Non_localized

Then the script recursivley pushs perms (with chmod & chown as needed) to make sure the new User Template matchs Apple's perms.

This has worked awesome for me in my DeployStudio runtime since around the OS X 10.6 days. Worked OK in a JAMF test lab on 10.10.5, too.

I find that I have more granualr control by setting everything on a clean system and surgically inserting into my own curated User Template. I update it about once every 12-18 months (or until there is a glaring issue or change that I need to resolve.) Its takes a little work, but its not too bad, and I love the results (or at least I used to)

Which begs the question...

Does the option to "Fill User Templates (FUT)" still work in 10.11 El Cap? If so, how exaclty is JAMF modifting the User Template? Even if the agent runs a root it should not be able to make changes to the User Template, correct?

0 Kudos
Reply

rtrouton
Release Candidate Programs Tester

Posted on ‎12-09-2015 12:21 PM

@dstranathan,

OK, since you're removing the whole User Template folder, you're going to have a bad time with SIP. As a number of folks have found, you can remove a SIP-whitelisted directory but you cannot later add it back without first disabling SIP.

If you're going to modify the user template, I suggest modifying only English.lproj and Non_localized and leave the /System/Library/User Template directory otherwise untouched.

0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎12-09-2015 12:26 PM

Thanks @rtrouton

Sweet. If that works Im a happy man. Ill just rebuild the package and leave out the parent "User Template" folder and just replace the English.lproj and Non_localized child folders.

This is temporary. In 2016 I will start to leverage profiles, policies and scripts, but I find it hard to tweak all the things I want using just JAMF and scripts alone. It will take some time for me to surgically locate and set every preference, etc.

Perfect example: Pre-populating the "Connect to Server..." box with my file server URIs. Stuff like that.

Similar topic: I assume that the DefaultDesktop.jpg file can no longer be modified via a script now with SIP, correct?

0 Kudos
Reply

SGill
Contributor III

Posted on ‎12-09-2015 12:43 PM

Yes, we want to leverage Profiles here as well (already use them to some extent), and have the same concerns about the control we will lose if we just go with default UT's. Carefully modified UT's have served us well for nearly a decade but we may be coming to an era of users needing to set up many of the resources (that we used to build for them) manually for themselves.

1-to-1 setups where users are admin won't be so bad, but labs and non-admins might be another story.

Hoping for some clearer options soon. I realize it's a good thing that Apple is locking down with SIP.

0 Kudos
Reply