Jamf Nation Community

You can only convert Active Directory accounts to mobile accounts and that requires the end user authenticate against AD first at login. You won't be able to do this remotely unless they have a VPN solution that's external to your Mac, like a hardware router with VPN connected all the time.

What will binding Macs to Active Directory and having end users authenticate using an Active Directory mobile account do for you if they're remote?

Microsoft Teams.

Before shipping the computer, connect to it using Screen Sharing, putting it at the Login Window. Launch Teams on your computer. Give the remote user control through Teams. User logs in to the new computer, then logs out. Ship the computer.

Same issue here.

Jamf Connect seems to be the answer but my management sees $2 per device per month a no go so instead prefer to have all the pain of the situation we have now. What we are doing is having the local engineer call the user, inform them they are going to reset their password so they can then do the account login posing as them. They ship the Mac and then ask the user to change their password again. Not ideal at all.

@donmontalvo you've hit the nail on the head - at least for orgs that use Teams. We do a variant, only because most of our computer build technicians are Windows-savvy, so they hook up a USB crash cart KVM to the Mac and their PC and allow control to their PC from Teams. No need to worry about fiddly screen sharing settings... but I've made it a goal to come up with a solution that doesn't need the KVM... so I'm looking at fiddly screen sharing settings... Ultimately @talkingmoose and @noahinla are right - stop binding to AD and do things the way Apple recommends.

@MatG NoMAD is still an option for password syncing between local and AD accounts and is free. It's obviously not as full features as Jamf Connect (previously NoMAD Pro) but it allowed us to finally do away with binding a few years ago.

https://nomad.menu/

Apparently we are going down the path of an always on VPN. Maybe that would help.

I think @donmontalvo has a great way. It doesn't have to be Teams. Just something that you can allow the remote person to interact with your desktop

FWIW I didn't come up with the idea, my colleagues did. I was like...

Thanks for all the responses.
@talkingmoose we have a hybrid which makes life even harder. So it looks like most staff will be rotating into the office at some point. To yours and others points we really dont use many AD features on MacOS.
@Sterritt what is the Apple preferred way for enterprise?
I'll checkout NoMAD/JAMF Connect as time permits (LOL).
And @donmontalvo as always thanks for your insight,

We have a kinda cool solution here right after corona lockdowns started.

At first you need to define a Extension Attribute "Has Directory User" (you may need to adjust this, we have no local users with uid > 1000)

#!/bin/bash
potUsers=$(dscl /Local/Default -list /Users uid | awk '$2 >= 1000 && $0 !~ /^_/ { print $1 }')
if [ "${potUsers}" == "" ]
then
    echo "<result>no</result>"
else
    echo "<result>yes</result>"
fi

After that we created a SMART Group containing all Computers which had "Has Directory User: No".
After that we created a Configuration Profile with pre-filled VPN Information (an ipsec tunnel in our case, may differ in your Organisation, It's called 'Bootstrap VPN') which scoped to that SMART Group.
After that we created a Policy which triggers on "enrollment", which instantly uploads the Inventory of the machine -> Configuration Profile will be applied directly afterwards
After that we created a Policy which triggers on "network state change" and "startup" which just calls

networksetup -connectpppoeservice "Bootstrap VPN"

-> (re-)Enables tunnel after startup/network changes

This all integrates in our Process which
a) automatically resolves the Computername by querying the a gitlab repository or a CMDB (which may already know the correct Computername based on the Serialnumber) reboot
b) automatically join the active directory c) first logon of the user caching the credentials

And Bonus:
After the First Directory user logged in, the Extensionattribute switches to "yes" and the Profile + VPN Access gets removed again.

Hopefully this helps some of you guys ;-)

@bofh that looks crazy. If I had the resources to test I would totally try that.
@donmontalvo I just started testing further with remote users. The combination of Teams and ARD/Screen Sharing doesn't pass the shift key. My less than secure workaround is to use the on-screen keyboard...
Any ideas how to pass the shift key for login window?