Posted on 06-05-2016 05:29 PM
It has come to our attention that some of our Mac clients do not have 'Create mobile account at login' set in the User Experience section of Directory Bindings. A large portion of our clients need this for when they are at home and want to log on to their MacBooks under their network account.
Is there any way to propagate this out post-AD bind or does this have to be set up at the moment of binding (I assume this is the case).
If I have to re-bind, is this likely to cause any issues.
Solved! Go to Solution.
Posted on 06-05-2016 08:12 PM
dsconfigad -mobile enable
The above will do it. You can throw that into the Run Command field in a policy with a once per computer execution, and scope to the appropriate machines.
For extra points, you can create an EA that would gather if that value is set or not, and then use that for the basis of a Smart Group to scope the policy to. Doing it that way, you can set the Execution to Ongoing so it will keep trying to run on any Macs until they fall out of the Smart Group. EA below:
#!/bin/sh
if [[ $(dsconfigad -show | awk '/Create mobile account/{print $NF}') == "Enabled" ]]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi
Posted on 06-05-2016 08:12 PM
dsconfigad -mobile enable
The above will do it. You can throw that into the Run Command field in a policy with a once per computer execution, and scope to the appropriate machines.
For extra points, you can create an EA that would gather if that value is set or not, and then use that for the basis of a Smart Group to scope the policy to. Doing it that way, you can set the Execution to Ongoing so it will keep trying to run on any Macs until they fall out of the Smart Group. EA below:
#!/bin/sh
if [[ $(dsconfigad -show | awk '/Create mobile account/{print $NF}') == "Enabled" ]]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi
Posted on 06-06-2016 07:09 PM
Thanks very much @mm2270 that works perfectly. Can you tell me a bit more about how I use the EA to capture a log of the results of running it on clients. I am quite new to this.
Posted on 06-06-2016 10:09 PM
@HelpDeskWarrior The second script I posted is an EA. You need to set that up in your JSS under the section for Extension Attributes.
For Macs that are joined to AD, it should return either a "Enabled" or "Disabled" string for that Extension Attribute value.
From there you can create a Smart Group for Macs that return "Disabled" as the result by using that EA as the criteria and entering "Disabled", meaning something like:
Create Mobile Account Setting | is | "Disabled"
Finally, you can use that Smart Group as the scope for a policy that would run the first script command I posted above on them. Make sure the policy collects new inventory after it runs.
I should mention however, that my EA script above is a little simplistic. It assumes the Mac its running on is joined to AD. If its not even joined, the result will always be "Disabled" using my approach in the script, so it may keep trying to run that dsconfigad command on those Macs, but won't succeed since they aren't joined in the first place.
If that's a concern, the script could be expanded a bit to detect if dsconfigad even returns anything for a joined system, and if not, it can send back an EA result like "Not joined" That way, you can restrict the Smart Group only to Macs who are joined, but don't have the setting you're looking for enabled.