Jamf Nation Community

@mconners Thank you so much for your detail answers : )

But here is my question. If I decommission our existing old macs and buy new ones in the future, which DEP is enabled, but how can you bind them through the script or Jamf Pro? I am wondering how we can do this DEP process nicely under this situation.

Hello @OF-Jamf we use DEP here as well. Once the Mac is brought into Jamf, it usually has a very generic name like MacBook or iMac. We have a smart group look for any computer with a name like those. We exclude this smart group from any of our policies and profiles meaning, they won't get bound to AD or receive any settings until named.

We then have a policy for binding to AD. This policy runs on check in, which in our case is every 30 minutes.

The other missing piece I should have mentioned earlier, we take the asset tag field and enter in the correct name, yes, we do this for all of our new Macs we have to touch. I haven't found an easy way to get these names populated and even have a feature request asking for a change or addition to naming for DEP.

Anyhow, we have a script that runs immediately when the name is changed. It will pull the asset tag field's name and move it to the computer name's field. This is done as step 1 of our workflow (literally the policy is named 01 Rename Computer), the third step is to bind to AD with the computer name field. This binding policy has an exclusion for any misnamed Macs, mentioned in the smart group earlier so we don't accidentally bind using the incorrect name.

So in summary, we find the serial number of the new Macs, locate the computer in the JSS, enter in the correct name and save it. The policies will begin to run as soon as the Mac checks in.

@mconners Thank you, Sir! It was an amazing answer, which solved all the question that I have had so far : )

Friends don't let Friends bind to AD.

C

@gachowski Hi Friend, then what do you recommend for Mac OS? I have read about NoMad before... Are you using this one?

If you can make them work in your environment anything is better than binding...

NoMad

or

EC from Apple
https://www.jamf.com/jamf-nation/discussions/17757/about-enterprise-connect

And or

Local passwords enforced by MDM/config profiles or scripts...
https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines

Local passwords are worth effort...

C

@gachowski Can I ask you why you don't like to bind Mac to the domain? Becuase of the slow login and keychain?

@OF-Jamf

1. Will not stay bound over time.
2. FileVault partition and AD password sync.
3. Never works correctly on the 1st build of the OS... you usually have to wait to X.X.3
4. It's the past, with Apple supporting macOS less and less it's very easy to guess that it's not getting any resources inside Apple.

IMO it's not a question of why not but why would you not follow one the largest modern Apple install base IBM? Apple won't say it publicly but local password Config profiles are their recommendation. I think they even moved the AD binding to the last option on their public support docs.

AD password issues were about 20% of our Helpdesk tickets.

C

PS My Fav argument I used when my org was pushing back was .. it's how we manage iPhones so why manage macOS differently?