Which name is the best when Mac join the Ad domain?

Chicken_Dinner
New Contributor II

We have used name-imac or name-macbook but, as we growing, it's not really working...

Would S/N be the best or any other suggestions?

9 REPLIES 9

mconners
Valued Contributor

Hello @OF-Jamf here at our college, the name is everything for us. Our entire workflow is now based on the name we provide to our computers.

In our case, an example of our name would be MB2277-12345MS-Design.

The MB2277 means Main building in the B section. The room is 2277.

The asset tag we assign to the device is 12345.

Next, we use MS to identify this devices a student Mac. The AD admins run scripts against the devices in AD and anything after the M they don't look at in their scripts so we use; MS - Student Mac, ME - Employee Mac, MI - Instructor Mac. The instructor Mac is a presentation station in a classroom or lab.

Finally, the word Design. This designates the Graphic Design deployments of apps, policies and configuration profiles. We have many more like Library, Photo, Chemistry, Physics and more.

With all of this in the name, I can now create smart groups to determine the computers needing to get what policies and profiles.

Hopefully @OF-Jamf this will spark some new ideas for you.

Chicken_Dinner
New Contributor II

@mconners Thank you so much for your detail answers : )

But here is my question. If I decommission our existing old macs and buy new ones in the future, which DEP is enabled, but how can you bind them through the script or Jamf Pro? I am wondering how we can do this DEP process nicely under this situation.

mconners
Valued Contributor

Hello @OF-Jamf we use DEP here as well. Once the Mac is brought into Jamf, it usually has a very generic name like MacBook or iMac. We have a smart group look for any computer with a name like those. We exclude this smart group from any of our policies and profiles meaning, they won't get bound to AD or receive any settings until named.

We then have a policy for binding to AD. This policy runs on check in, which in our case is every 30 minutes.

The other missing piece I should have mentioned earlier, we take the asset tag field and enter in the correct name, yes, we do this for all of our new Macs we have to touch. I haven't found an easy way to get these names populated and even have a feature request asking for a change or addition to naming for DEP.

Anyhow, we have a script that runs immediately when the name is changed. It will pull the asset tag field's name and move it to the computer name's field. This is done as step 1 of our workflow (literally the policy is named 01 Rename Computer), the third step is to bind to AD with the computer name field. This binding policy has an exclusion for any misnamed Macs, mentioned in the smart group earlier so we don't accidentally bind using the incorrect name.

So in summary, we find the serial number of the new Macs, locate the computer in the JSS, enter in the correct name and save it. The policies will begin to run as soon as the Mac checks in.

Chicken_Dinner
New Contributor II

@mconners Thank you, Sir! It was an amazing answer, which solved all the question that I have had so far : )

gachowski
Valued Contributor II

Friends don't let Friends bind to AD.

C

Chicken_Dinner
New Contributor II

@gachowski Hi Friend, then what do you recommend for Mac OS? I have read about NoMad before... Are you using this one?

gachowski
Valued Contributor II

If you can make them work in your environment anything is better than binding...

NoMad

or

EC from Apple
https://www.jamf.com/jamf-nation/discussions/17757/about-enterprise-connect

And or

Local passwords enforced by MDM/config profiles or scripts...
https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines

Local passwords are worth effort...

C

Chicken_Dinner
New Contributor II

@gachowski Can I ask you why you don't like to bind Mac to the domain? Becuase of the slow login and keychain?

gachowski
Valued Contributor II

@OF-Jamf

  1. Will not stay bound over time.
  2. FileVault partition and AD password sync.
  3. Never works correctly on the 1st build of the OS... you usually have to wait to X.X.3
  4. It's the past, with Apple supporting macOS less and less it's very easy to guess that it's not getting any resources inside Apple.

IMO it's not a question of why not but why would you not follow one the largest modern Apple install base IBM? Apple won't say it publicly but local password Config profiles are their recommendation. I think they even moved the AD binding to the last option on their public support docs.

AD password issues were about 20% of our Helpdesk tickets.

C

PS My Fav argument I used when my org was pushing back was .. it's how we manage iPhones so why manage macOS differently?