Posted on 01-08-2019 07:10 AM
Hello all,
The following is an issue affecting Mac OS Siera, High Siera, and Mojave in our environment. I would greatly appreciate any help in resolving it from the community :)
Historically, binding our Macs to AD (with force local home directory on startup and use UNC path from Active Directory to derive network home location) would create a Globe icon on end users' docks that would mount their network folder and open it on their desktop.
Since Apple Security updates starting a month ago, clicking on the Globe now opens a prompt asking users to authenticate to connect to the server where the network shares are located. After entering the credentials, the root level opens in a new window--our network shares are hidden, so they are not visible).
If users go to Go/Connect to Server and enter the full path they can connect without any authentication prompts.
Ideally, I would like to fix the issue with the Globe icon on the dock, but I'd settle for some way to have users' network home shares accessible without them having to navigate through several folders or having to enter the share path.
I have tried using the following script by @Look It's a great script, the problem is that after adding it as a login policy it mounts the share but not the individual users home folder. So users need to navigate through all the home folders within the share to find theirs.
A further complication when vetting possible alternatives is that we have different share directories for different users--Students, Teachers, Staff--so entering a static share won't work in the format smb://SERVER/SHARE/username.
#!/bin/sh
#2017 Version Samuel Look
#All care no responsibility
#Mounts the requested share if it doesn't already exist if left blank it will attempt to mount AD SMBhome
#Accepts shares in the form smb://server/share
#Intended to be run as a Login policy from Casper on AD bound machines only and has only been tested in this context.
##### Start seperate process #####
(
##### SUBROUTINES #####
Share_Path_Valid() {
if [[ -z "$Share_Path" ]]; then
Machine_Domain=$(dscl /Active Directory/ -read . SubNodes | awk '{print $2}')
Share_Path="$(dscl "/Active Directory/$Machine_Domain/All Domains" -read /Users/$Current_User SMBHome | awk '!/is not valid/' | sed -e 's/SMBHome: /smb:/g' -e 's/\///g')"
fi
if [[ "$Share_Path" ]]; then
logger "Sharemount:$Share_Name Path check PASS $Share_Path"
return 0
else
logger "Sharemount:$Share_Name Path check FAIL"
return 1
fi
}
#####
User_Ready() {
Loop_End=$((SECONDS + 60))
Current_User=$(stat -f%Su /dev/console | awk '!/root/')
while [[ -z "$Current_User" ]] && [[ $SECONDS -lt $Loop_End ]]; do
sleep 10
Current_User=$(stat -f%Su /dev/console | awk '!/root/')
done
if [[ "$Current_User" ]]; then
logger "Sharemount:$Share_Name User check PASS $Current_User"
return 0
else
logger "Sharemount:$Share_Name User check FAIL"
return 1
fi
}
#####
Finder_Ready() {
Loop_End=$((SECONDS + 60))
while [[ -z "$(ps -c -u $Current_User | awk /CoreServicesUIAgent/)" ]] && [[ $SECONDS -lt $Loop_End ]]; do
sleep 10
done
if [[ "$(ps -c -u $Current_User | awk /Finder/)" ]]; then
logger "Sharemount:$Share_Name Finder check PASS"
return 0
else
logger "Sharemount:$Share_Name Finder check FAIL"
return 1
fi
}
#####
Not_Mounted() {
if [[ -z "$(mount | awk '/'$Current_User'/ && //'$Share_Name' /')" ]]; then
logger "Sharemount:$Share_Name Mount check PASS $Share_Name"
return 0
else
logger "Sharemount:$Share_Name Mount check FAIL already mounted"
return 1
fi
}
#####
Mount_Drive() {
True_Path=$(echo $Share_Path | sed 's//////'$Current_User'@/g')
logger "Sharemount:$Share_Name Attempting to mount $True_Path"
sudo -u $Current_User osascript -e 'mount volume "'$True_Path'"'
}
##### START #####
Share_Path=$4
Share_Name="$(echo $Share_Path | awk -F"/" '{print $NF}')"
if User_Ready && Finder_Ready && Share_Path_Valid && Not_Mounted; then
sleep 4
Mount_Drive
else
logger "Sharemount:$Share_Name Conditions not met to attempt drive mounting $Share_Path"
fi
##### End seperate process #####
) &
##### FIN #####
Posted on 01-08-2019 07:28 AM
Hey there, we had a similar issue and I managed to come come up with a solution using MacMule's AppleScript for mounting shares. As we have a lot of shares I kind of found it tedious to include the rest but when I have more time I intend to adapt it again. Here is my version for the home drive only. It seems that if you mount it via AppleScript rather than bash it works.
set loggedInUser to do shell script "/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'"
set nodeName to "/Active Directory/DOMAIN/All Domains"
set ADHome to do shell script "dscl " & quoted form of nodeName & " -read /Users/" & loggedInUser & "| grep SMBHome: | cut -c 10- | sed 's/\\/\//g'"
mount volume "SMB:" & ADHome
I had to save a script somewhere in the user's mac. I created a file in the library called management that allows me to have a space to store stuff locally to call. Then through a bash script in the actual policy (make sure the AppleScript is executable first) I would execute the script that then launches the home drive
#!/bin/bash
# Author: Cat McDonald (with some help from MacMule)
# Purpose: to mount the home drive
osascript /library/management/ADHomeas.scpt
Posted on 01-08-2019 07:36 AM
I opened a ticket with Apple on this and was told they are aware of the issue and expect it to be resolved in an upcoming software release.
Also, you can go ahead and click connect without entering a password and it should work.
Posted on 01-08-2019 09:22 AM
Hi @cmcdonald89
Thanks for your suggestions, I followed your instructions: created an apple script, placed it in a new directory at the root of Library (I named it management) then added the bash script to Jamf and created a login policy for it.
However, when I tried running the Apple script I get the following error: /Library/management/ADHomeas.scpt: execution error: Some parameter wasn’t understood. (-1715)
I've tried running it locally and through ARD. I wasn't sure what you meant about making sure the apple script was executable though. Googling error 1715 comes up with required parameter is missing.
Any thoughts? Thanks!!!
Posted on 01-08-2019 09:40 AM
I think that this is related to this issue macOS 2018-006 security patch and AFP auto-mount
Posted on 01-08-2019 10:39 AM
@cbrewer So my small App/Script I have that creates alias's to a mounted Home drive stopped working too. See my post here. It's always worked in the past and all of a sudden it cannot create a simple alias.
I even created a really dumbed down script to create alias's to local folders like to the documents folder and music folder and that script is failing as well. Just wondering if it has something to do with this bug they are reporting?
Posted on 01-08-2019 11:14 AM
Hi @cbrewer ,
Unfortunately, it doesn't connect (mount) the users home folder. It only opens a window to the top level shares (which doesn't include the hidden shares for home folders).
The frustrating thing is that this is something that worked just fine previously and now requires yet another work around to have what is essentially a basic feature of enterprise managed devices--i.e., mounting the home folder specified in the end users AD account.
Posted on 01-08-2019 11:20 AM
@psher12 Check out macOS 10.14.3 beta 3.
Posted on 01-09-2019 12:57 AM
Hey @psher12 Some parameter wasn’t understood. (-1715) - I am going to assume it's the nodeName variable
set nodeName to "/Active Directory/DOMAIN/All Domains"
where DOMAIN is in all caps is your own domain eg. contoso or what ever the root of your domain is (without the .com or otherwise)
As for make sure it's executable I'm meaning permissions. Use chmod 777.
Any more questions let me know :)