Posted on 11-01-2018 02:11 AM
We've been having problems with a fair amount of our iMacs where they will randomly stop allowing network accounts to log on, even though they are bound to the network and all the various network settings appear okay (including a green dot next to the domain name in users).
As part of my investigations I built a new iMac out of the box with the original macOS (not imaged via Jamf Pro), which was completely okay after being bound to the network for well over a week; that is until I enrolled it in Jamf Pro as after a couple of shutdowns, the red dot issue occurred. Could be a good lead, or a red herring.
This is a difficult one to track as there is no real pattern to the issue and so far the only resolution we can find is to unbind, then bind back on the network.
Anyone come across anything similar?
Posted on 11-01-2018 07:00 AM
I believe it is a bug in MacOS, that has been around for years but not really addressed. We saw this issue as far back as Mavericks and even went so far as to build a script out into Self-Service for technicians who were troubleshooting lab/shared Macs. This happened on Macbook Airs/Pros as well as iMacs.
If you notice in System Prefs, the device will still be bound, and you can still connect to AD in directory Util or using dsconfigad, but if you enter the Users and Groups pane under login options, you will notice that the "Allow Network User to log in" checkbox is missing, much like an unbound mac. This is what throws the red dot flag n the login screen and is what prevents AD users from logging in.
The screenshot is what you get when it is working properly. When it isn't, you see that it is still bound, but the whole checkbox and text for network users is missing.
Posted on 05-15-2019 12:46 PM
Please, please tell me the cause of this issue and how you fixed it? Got it here too... driving us crazy!!!
Posted on 05-16-2019 04:19 AM
We've seen this ever since we launched our Mac service in 2013, but to be fair we are seeing it less and less these days. It can sometimes go away with a rebind to AD. It's just something we've learned to live with and our customers are advised to ignore it via our help resources and documentation; they can still log in as expected despite the red dot.
Like many other sites, our plan is to move away from binding to AD to either NoMAD or Jamf Connect.
Posted on 05-16-2019 07:27 AM
At a previous company, we had a group who would receive the alert that network accounts were unavailable after a reboot for up to a minute. Then the red dot would go away.
We tracked this down to the network switch system they were plugged into. Something was preventing them from receiving an IP address in a timely manner. We determined this by enabling the option to show addition information at the login window in the upper right corner. With Jamf Pro, you can enable this with a configuration profile using the Login Window payload.
As soon as the login window appeared, we'd click the clock in the upper right corner, which cycles through computer name, serial number and IP address. We wouldn't see an IP address for about a minute. Once we saw the IP address, we saw network accounts were available.
We couldn't change network hardware and our network group didn't put much effort into troubleshooting the issue. They just said, "Tell your users to wait a minute before logging in."
Enabling Mobile Accounts for bound Macs may be able to let users login more quickly, allowing the Mac to connect to the network in the background.
Posted on 05-16-2019 05:48 PM
just for kicks, does your AD server DNS end in .local ? before we moved to local accounts we always saw this, and could still login to Mac with AD account (not mobile) and I read somewhere that .local ending AD servers were the primary reason for this network red dot. just throwing it out there.