Posted on 04-07-2020 08:49 AM
My organization is looking for ways to make our deployment workflow completely zero-touch as a response to the COVID-19 crisis.
A little background: All of our Macs are bound to a domain. It is a large educational organization with multiple child domains, including a public-facing domain for our public-facing computing resources.
Currently, the final step for setting up a Mac for staff is to have the end-user authenticate to the domain with their staff Active Directory credentials.
Since our devices are deployed onsite during typical business operation, we always have the ability to authenticate. COVID-19 introduces a flaw in this process as we attempt to onboard new staff and provision computers to current staff as temporary loaners during the crisis.
Does anyone have insight on how we can enable VPN authentication prior to login or some other workflow for preconfiguring mobile accounts? Anything you have, forum discussions, links to existing documentation, etc. is welcome.
Thanks, Jamf Nation!
Solved! Go to Solution.
Posted on 04-07-2020 11:10 AM
I've never had any luck trying to find a VPN solution that connects at the login window. If Jamf is externally facing, I'd recommend going the DEP route to have the user create a local account and then leverage Enterprise Connect or NoMAD to make sure credentials stay in sync once they are on VPN. Another route you could go (that's definitely more complicated, as everything with Mobile Account is) would be to create a temp account for the user to sign in with, have them connect to VPN and run a policy that creates a mobile account for them (https://derflounder.wordpress.com/2011/08/12/creating-ad-or-od-mobile-users-from-the-command-line/) and then they logout and login with that.
Posted on 04-08-2020 07:32 AM
I'm working through a similar issue, my current plan of action is to DEP a setup user to the computer,
1.) have the user log in with temporary setup user and run a default provisioning policy through Self Service which will set up VPN and install some other things.
2.) Then have them run a self service policy that will create their user account. Work in progress on my github. It's worked on my testing computer but not a real world environment
3.) Have them switch to their user and run another policy that sets up their account.
4.) Have them do some of our default new computer stuff like set up email, 2 factor for our main vpn etc.
5.) Have them run another Self Service policy which deletes the set up user off the computer and makes sure everything is good to go.
Posted on 04-07-2020 10:22 AM
We use Enterprise Connect, works like a charm.
Posted on 04-07-2020 11:10 AM
I've never had any luck trying to find a VPN solution that connects at the login window. If Jamf is externally facing, I'd recommend going the DEP route to have the user create a local account and then leverage Enterprise Connect or NoMAD to make sure credentials stay in sync once they are on VPN. Another route you could go (that's definitely more complicated, as everything with Mobile Account is) would be to create a temp account for the user to sign in with, have them connect to VPN and run a policy that creates a mobile account for them (https://derflounder.wordpress.com/2011/08/12/creating-ad-or-od-mobile-users-from-the-command-line/) and then they logout and login with that.
Posted on 04-07-2020 01:51 PM
@andymcp Thanks for the feedback! I have only seen the VPN-before-login solution work well at one organization and it was an extremely well-funded healthcare organization, and it was only for Windows computers. The last method you mentioned was my fall back if I couldn't make progress with the VPN stuff. I figured there was a way to do something like that but it seemed like a messy solution for end-users and I did not have a direct example, so thanks again. I will look into the Enterprise Connect and NoMAD solutions before going that route.
Posted on 04-08-2020 07:32 AM
I'm working through a similar issue, my current plan of action is to DEP a setup user to the computer,
1.) have the user log in with temporary setup user and run a default provisioning policy through Self Service which will set up VPN and install some other things.
2.) Then have them run a self service policy that will create their user account. Work in progress on my github. It's worked on my testing computer but not a real world environment
3.) Have them switch to their user and run another policy that sets up their account.
4.) Have them do some of our default new computer stuff like set up email, 2 factor for our main vpn etc.
5.) Have them run another Self Service policy which deletes the set up user off the computer and makes sure everything is good to go.
Posted on 04-08-2020 11:11 AM
@strayer, after reading the suggestions from @andymcp, I tested both NoMAD and scripting the mobile account creation. I settled on almost the exact workflow that you listed. I think I will look into NoMAD at a later date as a permanent solution but for now, this process will serve the needs of my organization and it's pretty straightforward to implement!
Posted on 04-08-2020 01:58 PM
@bhardawa Hope it works well for you, i'm building out this process as we speak. My team had the goal of working towards using Jamf Connect with non AD bound computers this summer for a truer zero-touch setup, but we need something up and running sooner than that so I'm getting this working in the mean time.
Posted on 08-03-2020 08:54 AM
Hello @bhardawa Im currently going through the same situation right now with AD and VPN. Can you tell me what is the solution you are currently doing in your organization. Thanks for your help.