Remote Create mobile account at login

llitz123
Contributor III

So we're all remote yet may still be hiring and may need to roll out new hardware.
All of our Macs are bound to AD and all users are mobile accounts.
My question is how do I remotely have a user login to create a mobile account at login when outside our firewall. We don't have external access to our AD although we do have Azure AD if there's some way to leverage that.
72da2550dfd448eaa345dbd61bb808d6

Any help is greatly appreciated.

1 ACCEPTED SOLUTION

llitz123
Contributor III

As I mentioned I was unable to get this to work as I can't create a VPN connection before user login. @talkingmoose was right.
I did find this thread which seems to solve the issue and is recently active for anyone having this issue.

View solution in original post

12 REPLIES 12

noahinla
New Contributor II

I don't have a solution for you other than saying that this is a great use-case example for you to petition your company to switch to Jamf Connect. I switched over a few months before quarantine/WFH and it's made everything so much easier.

talkingmoose
Moderator
Moderator

You can only convert Active Directory accounts to mobile accounts and that requires the end user authenticate against AD first at login. You won't be able to do this remotely unless they have a VPN solution that's external to your Mac, like a hardware router with VPN connected all the time.

What will binding Macs to Active Directory and having end users authenticate using an Active Directory mobile account do for you if they're remote?

donmontalvo
Esteemed Contributor III

Microsoft Teams.

Before shipping the computer, connect to it using Screen Sharing, putting it at the Login Window. Launch Teams on your computer. Give the remote user control through Teams. User logs in to the new computer, then logs out. Ship the computer.

--
https://donmontalvo.com

MatG
Contributor III

Same issue here.

Jamf Connect seems to be the answer but my management sees $2 per device per month a no go so instead prefer to have all the pain of the situation we have now. What we are doing is having the local engineer call the user, inform them they are going to reset their password so they can then do the account login posing as them. They ship the Mac and then ask the user to change their password again. Not ideal at all.

gabester
Contributor III

@donmontalvo you've hit the nail on the head - at least for orgs that use Teams. We do a variant, only because most of our computer build technicians are Windows-savvy, so they hook up a USB crash cart KVM to the Mac and their PC and allow control to their PC from Teams. No need to worry about fiddly screen sharing settings... but I've made it a goal to come up with a solution that doesn't need the KVM... so I'm looking at fiddly screen sharing settings... Ultimately @talkingmoose and @noahinla are right - stop binding to AD and do things the way Apple recommends.

hkabik
Valued Contributor

@MatG NoMAD is still an option for password syncing between local and AD accounts and is free. It's obviously not as full features as Jamf Connect (previously NoMAD Pro) but it allowed us to finally do away with binding a few years ago.

https://nomad.menu/

dlondon
Valued Contributor

Apparently we are going down the path of an always on VPN. Maybe that would help.

I think @donmontalvo has a great way. It doesn't have to be Teams. Just something that you can allow the remote person to interact with your desktop

donmontalvo
Esteemed Contributor III

FWIW I didn't come up with the idea, my colleagues did. I was like...

614bd22ae5e54714bc66e3a9b570e87c

--
https://donmontalvo.com

llitz123
Contributor III

Thanks for all the responses.
@talkingmoose we have a hybrid which makes life even harder. So it looks like most staff will be rotating into the office at some point. To yours and others points we really dont use many AD features on MacOS.
@Sterritt what is the Apple preferred way for enterprise?
I'll checkout NoMAD/JAMF Connect as time permits (LOL).
And @donmontalvo as always thanks for your insight,

bofh
New Contributor III

We have a kinda cool solution here right after corona lockdowns started.

At first you need to define a Extension Attribute "Has Directory User" (you may need to adjust this, we have no local users with uid > 1000)

#!/bin/bash
potUsers=$(dscl /Local/Default -list /Users uid | awk '$2 >= 1000 && $0 !~ /^_/ { print $1 }')
if [ "${potUsers}" == "" ]
then
    echo "<result>no</result>"
else
    echo "<result>yes</result>"
fi

After that we created a SMART Group containing all Computers which had "Has Directory User: No".
After that we created a Configuration Profile with pre-filled VPN Information (an ipsec tunnel in our case, may differ in your Organisation, It's called 'Bootstrap VPN') which scoped to that SMART Group.
After that we created a Policy which triggers on "enrollment", which instantly uploads the Inventory of the machine -> Configuration Profile will be applied directly afterwards
After that we created a Policy which triggers on "network state change" and "startup" which just calls

networksetup -connectpppoeservice "Bootstrap VPN"

-> (re-)Enables tunnel after startup/network changes

This all integrates in our Process which
a) automatically resolves the Computername by querying the a gitlab repository or a CMDB (which may already know the correct Computername based on the Serialnumber) reboot
b) automatically join the active directory c) first logon of the user
caching the credentials

And Bonus:
After the First Directory user logged in, the Extensionattribute switches to "yes" and the Profile + VPN Access gets removed again.

Hopefully this helps some of you guys ;-)

llitz123
Contributor III

@bofh that looks crazy. If I had the resources to test I would totally try that.
@donmontalvo I just started testing further with remote users. The combination of Teams and ARD/Screen Sharing doesn't pass the shift key. My less than secure workaround is to use the on-screen keyboard...
Any ideas how to pass the shift key for login window?

llitz123
Contributor III

As I mentioned I was unable to get this to work as I can't create a VPN connection before user login. @talkingmoose was right.
I did find this thread which seems to solve the issue and is recently active for anyone having this issue.