Jamf Nation Community

Most of our clients are using Active Directory so we just set the time to the domain name (as per this blog: http://www.amsys.co.uk/2015/blog/setting-network-time-server-command-line/).

Time drifting around isn't something I have seen for a while (I could just not have noticed though!). Is there anything nt. error related in the system logs?

I've also some posts on NTP: https://macmule.com/?s=NTP&submit=Search

@davidacland, I'm not trolling fella.. Honest!!

@bentoms lol, no worries! If yours is better I'll blame @daz_dar

Wait, what?

Must respectfully disagree @davidacland as not all domain controllers are configured to implement NTP as a service. If that's not in place, your time will drift.

@bthomason Is your place allowing NTP broadcast information (UDP) on port 123 through your firewall? If you're reliant on things like AD login and thus the time not being more than five minutes out, then you should think about directing your clients to an internal NTP server.

Very true, if possible its best to be specific and use a known and reachable ntp server.

I haven't come across a domain controller in the last few years that isn't providing an ntp service.

Well @franton & @davidacland, one of the posts I linked would show you where your DC's are getting time from.. Internal or external.

To be fair, the original blog was a very simple 'this is how you set your Mac NTP in a script' with a bonus that in some cases you can just use the domain rather than a specific serve.

The issue I see frequently is NTP is blocked at the firewall.
You can set the time server to your local Active Directory Domain Controller. But what happens when the computer leaves that network, and it cannot reach back in to sync time.
Considering most MacBooks are truly mobile devices this can be a big problem.

This script uses four Casper parameters.
$4=TimeZone - currently set to New York
$5i=nternalTime - currently set to time.apple.com - Set it to your internal time server.
$6=externalTime - currently set to time.apple.com
$7=EnableAutoTimeZone - currently enabled

This script can be used in a Configuration with hard coded variables, or in a Policy with Casper Parameters.

Be sure to set the script priority to run at reboot.

#!/bin/bash
####################################################################################################
#
# DESCRIPTION
#   The purpose of this script is to configure the Time Zone and Time Servers.
#
#   When used in a build configuration the script priority must be set to: At Reboot
#
# SYNOPSIS
#   sudo Configure_Time.sh
#   sudo Configure_Time.sh <mountPoint> <computerName> <currentUsername> <TimeZone> <internalTime> <externalTime> <EnableAutoTimeZone>
#
#   If the <EnableAutoTimeZone> parameter to "yes" Location Services will be enabled
#   and the time zone will be set automatically using current location.
#       
# DESCRIPTION
#
#   Use "-listtimezones" to list time zones
#
#
####################################################################################################
#
# HISTORY
#
#   Version: 2.0
#
#   Date: 12-22-2014
# 
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################
#
/bin/echo "Running Configure_Time.sh" >>/var/log/jamf.log

# OS X Version
sw_vers_Full=`/usr/bin/sw_vers -productVersion`
sw_vers_Major=`/usr/bin/sw_vers -productVersion | /usr/bin/cut -d. -f 1,2`
sw_vers_MajorNumber=`/usr/bin/sw_vers -productVersion | /usr/bin/cut -d. -f 2`

# Casper Environmental Positional Variables.
# $1 Mount Point
# $2 Computer Name
# $3 Current User Name - This can only be used with policies triggered by login or logout.
# Declare the Enviromental Positional Variables so the can be used in function calls.
mountPoint=$1
computerName=$2
username=$3
currentuser=`/bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4`
#
# HARDCODED VALUE FOR "TimeZone" IS SET HERE
# Use "/usr/sbin/systemsetup -listtimezones" to see a list of available list time zones.

TimeZone="America/New_York"

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "TimeZone"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$4" != "" ];then
    TimeZone=$4
fi
#
# HARDCODED VALUE FOR "TimeServers" IS SET HERE

internalTime="time.apple.com"

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 5 AND, IF SO, ASSIGN TO "internalTime"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$5" != "" ];then
    internalTime=$5
fi

externalTime="time.apple.com"

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 6 AND, IF SO, ASSIGN TO "externalTime"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$6" != "" ];then
    externalTime=$6
fi

#
# HARDCODED VALUE FOR "EnableAutoTimeZone" IS SET HERE
# set to yes or no

EnableAutoTimeZone="yes"

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 6 AND, IF SO, ASSIGN TO "EnableAutoTimeZone"
# If a value is specificed via a casper policy, it will override the hardcoded value in the script.
if [ "$7" != "" ];then
    EnableAutoTimeZone=$7
fi
#
/bin/echo ""
/bin/echo "$computerName" is running is OS X version "$sw_vers_Full"
/bin/echo "TimeZone:                   $TimeZone"
/bin/echo "internalTime:                 $internalTime"
/bin/echo "externalTime:                 $externalTime"
/bin/echo "EnableAutoTimeZone:         $EnableAutoTimeZone"
/bin/echo ""
#
#####################################################################################################
#
# Functions to call on
#
####################################################################################################

#
### Ensure we are running this script as root ###
rootcheck () {
if [ "`/usr/bin/whoami`" != "root" ] ; then
  /bin/echo "This script must be run as root or sudo."
  exit 0
fi
}
###
#

####################################################################################################
# 
# SCRIPT CONTENTS
#
####################################################################################################

rootcheck

/usr/sbin/systemsetup -setusingnetworktime off 

#Set an initial time zone
if [ "$TimeZone" != "" ]; then
    /usr/sbin/systemsetup -settimezone $TimeZone
fi

#Set specific time server
if [ "$internalTime" != "" ]; then
    /usr/sbin/systemsetup -setnetworktimeserver $internalTime
fi

# set time zone automatically using current location 
if [ "$EnableAutoTimeZone" = "yes" ]; then  
    /bin/echo "set time zone automatically using current location"
    # enable location services
    /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
    uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
    /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.$uuid LocationServicesEnabled -int 1
    /usr/sbin/chown -R _locationd:_locationd /var/db/locationd
    /bin/launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist
    # set time zone automatically using current location 
    /usr/bin/defaults write /Library/Preferences/com.apple.timezone.auto Active -bool true
fi

/usr/sbin/systemsetup -setusingnetworktime on 
/usr/sbin/systemsetup -gettimezone
/usr/sbin/systemsetup -getnetworktimeserver
/bin/echo server "${externalTime}" >> /private/etc/ntp.conf
exit 0

Pretty neat script. It's also worth checking to see if the pacemaker daemon is running on OS 10.9 or 10.10 computers as well. Apple's really doing weird things with this proprietary bit of software, probably in an attempt at power saving which NTP was never designed for.

You can check with the following:

My-MacBook-Pro:~ franton$ sudo /usr/libexec/pacemaker -v
Password:
Jan  9 22:59:25 My-MacBook-Pro.local pacemaker[2264] <Warning>: pacemaker is not enabled on this system - unloading pacemaker and exiting
/System/Library/LaunchDaemons/com.apple.pacemaker.plist: Could not find specified service

You do NOT want to see this! How you'd fix it apart from reinstalling, i'm still working on.

@franton Im not blocking NTP. My users have local accounts, Im no longer utilizing a Directory Service.

@bthomason, maybe run the below on each Mac once a day? It should keeps the clients from drifting, but recorrecting it daily.

ntpdate -u time.apple.com

We are still seeing this with 10.9 and 10.10

We are pointed to an internal ntp server and are seeing this even on desktops. 3-4 min drift.

If we uncheck and recheck the time server check mark it updates along with running ntpdate -u timeserver it fixes it.

Its almost like it can't update on its own.

@ClassicII, on a restart or power on Macs will try & update their time.

Are these Macs on all the time?

Maybe a policy as advised above: https://jamfnation.jamfsoftware.com/discussion.html?id=12979#responseChild76675

What ended up happening in my environment was our network guys blocked off access to all internet-based time servers but didn't say anything to Corp IT, so all of our Macs were drifting, to the point where they weren't binding to AD on imaging because the machine's time would be, like, December 2001 or whatever. So I ended up putting time server configuration in my First Boot script for imaging, and also pushed out a policy to all of our Macs to use our NTP first, then time.apple.com as secondary (when off-prem). Seems to have remedied our issues.

@emilykausalik, another alternative would be to find the external source your domain uses.. & use that as the secondary.. just in case, just in case... https://macmule.com/2013/12/14/how-to-check-your-active-directory-domains-time/