Jamf Nation Community

Thank you, is NoMAD free? Is it better than thet wo? 

its been a long time since I've used NoMAD.. possibly been sunset by JAMF..  but its free..  XCreds is 3$ per client / per year.. JAMF Connect.. time to ask your vendor for a package deal.. but its not cheap.. 

Being on local AD now NoMAD might work, but plan for the future.. 

It's on-prem, we haven't moved over to Azure AD yet.

You should definitely look into enabling the Kerberos SSO extension on your Macs then

How do you enable Kerberos SSO extension? Are there any instructions? 

Enable it with the Single Sign On Extensions payload in a Configuration Profile.

The main piece of information you need to enable it is your Kerberos Realm. It should be entered in ALL CAPS format in the profile. There are a ton of other options you will need to look thru when turning it on, but the other two options that you should enable are "Local password sync" and "Password expiration notification"

We also have Mobile accounts on the macs. 

Ok, so, are you saying these are mobile accounts are not getting passwords synced, and causing login issues? Not local accounts? Because actual mobile accounts should stay in sync with AD, because they are tied to AD, not the local domain.

I can see them getting out of sync with FileVault though.

If this is your case, honestly, the only advice I have is to drop the use of mobile accounts. Apple really doesn't support those anymore, so you're kind of in unsupported territory now. You really should use local accounts and the Apple SSO/Kerberos extension as a next transition step to move away from your current setup. I know that's easier said than done, but I don't foresee any easy ways of ensuring that Macs using cached AD mobile accounts and FileVault will work well together.

Yes they are Filevaulted, Thanks for your info I will take this up with the management.