Help

Want to create a policy to enable "Create Mobile Account at Login"

dajames
New Contributor

Posted on ‎02-07-2017 01:36 PM

In brief, I support a school's infrastructure with JAMF Casper. All the Macs are bound to a Windows AD.

Currently, we have the student accounts stored on a network volume share, and they load on login, as the computer lab Macs are not set to create mobile accounts at login. This is not the recommended way to do it, and for good reason, as it causes problems, but I inherited this policy.

Now, finally, we want to change the preferences on all the Macs in a smart group to now choose "Create mobile account at login" so that the students will have managed mobile accounts when they log on, cached on the HD as is normally done. (They'll be saving their work to a network volume, anyway, so it's not necessary to always load their profiles from a volume share going forward.)

Is there a way to make this change through terminal commands which can be scripted, wrapped up in a policy?

For that matter, I wonder if there isn't a repository of all the methods for changing any and all MacOS preferences via the terminal? Such a manual resource seems like it would very nice to have

0 Kudos
4 REPLIES 4

CapU
Contributor III

Posted on ‎02-07-2017 01:59 PM

B.C. (before Casper) we used this script:
sudo dsconfigad -f -a COMPUTERNAME -domain cds.capilanou.ca -u YOURADMID -p YOURADMPASSWORD -ou OU=Macs,OU=XXXXX,OU=Workstations,OU=XXXXX,DC=cds,DC=XXXX,DC=ca -mobile enable -mobileconfirm disable -localhome enable -alldomains disable -packetsign require -packetencrypt require -groups "CDSSvcMgrIncidentResponders"
Note where it says "mobile enable"
Now A.C. (After Casper) you can set up Binding to enable mobile accounts
824682ec07714d50be2ed51b9f66bf60

0 Kudos

chad_fox
Contributor II

Posted on ‎02-07-2017 02:00 PM

You'll want to explore 'dsconfigad'.

-mobile flag 'enable' or 'disable' mobile user accounts for offline use

I'd test a script that is set for login with the mobile flag added. 

#!/bin/sh

# enables mobile user accounts for offline use

dsconfigad -mobile enable

mm2270
Legendary Contributor III

Posted on ‎02-07-2017 02:01 PM

Yes, since you mentioned them being joined to AD, take a look at the dsconfigad command. You can just type in dsconfigad in Terminal to get a list of available commands. What you want to look at is the User Experience section

Advanced Options - User Experience:
  -mobile flag          'enable' or 'disable' mobile user accounts for offline use
  -mobileconfirm flag   'enable' or 'disable' warning for mobile account creation
  -localhome flag       'enable' or 'disable' force home directory to local drive
  -useuncpath flag      'enable' or 'disable' use Windows UNC for network home
  -protocol type        'afp' or 'smb' change protocol used when mounting home
  -sharepoint           'enable' or 'disable' mount network home as a sharepoint.
  -shell value          'none' for no shell or specify a default shell '/bin/bash'

The ones you want are -mobile and -mobileconfirm The former can be set to enable and the latter to disable Essentially, this tells the Mac to auto create a cached AD mobile account from any user that logs in with AD credentials (while connected to the network of course) The -mobileconfirm disable ensures the user doesn't see a dialog pop up asking if they want to create such a cached account.

sudo dsconfigad -mobile enable -mobileconfirm -disable

It would be something like the above. You can drop that into a script or even just plug that into the Execute Command field in a policy that is scoped to run on your targeted Macs. (Remove the sudo if pushing it thru Jamf Pro/Casper)

I would of course test this all out on a few machines first, and see what the experience is like before going hog wild, but this should get you what you're looking for.

Also, for the sake of completeness, you should also explore and take a look at the createmobileaccount binary.

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -h

The binary allows you to "pre-create" cached AD mobile accounts by passing in a username to pull from AD and create the home directory. You can also pass in a password for the account if you know it ahead of time. Might come in handy.

0 Kudos

dajames
New Contributor

Posted on ‎02-07-2017 03:59 PM

You guys rock! Thanks for all the responses.

I think I fooled myself by making this more complicated than necessary. As it is, most information of this subject is how to configure mobile homes as the preference when creating a binding script. I'm going back and fixing things that were done incorrectly, which is so much less elegant.

The simplest way seemed to be the best.

I created a script that ran as below, and that did the trick:

#!/bin/sh


dsconfigad -mobile enable
dsconfigad -mobileconfirm disable

That did what I needed it to do for my computer lab.

Ð