Jamf Nation Community

djennings · ‎07-01-2021

Hi,

Reaching out to find out the best practices used in education in a shared lab with Active Directory binding. All user accounts are in Active Directory and use these credentials to login to the iMac. No mobile account is created at login and simply treated as a network account.

When a student logs into the computer for the first time, it takes roughly 2minutes to get to a point where everything as loaded. We use Sophos, Office 365 Apps, Teams, Mounting network drives at login. All apps seem to be sluggish when first opening an app etc.

I'm interested to know how others are setup? Is creating Mobile Accounts a better way to go? I remember testing this but had issues with KeyChain which kept giving me errors.

Majority of the time the student users the same computer every lesson which dramatically makes a difference and login is seamless.

Any advice is much appreciated.

dlondon · ‎07-01-2021

Prior to Catalina I was using Mobile accounts for consistency. However my login times blew out to sometimes as much as 15 minutes. I found that the Network accounts gave much better times - around what you see or less so I went that route for the labs.

Sounds like you have it right

I don't even mount drives - there's the icon on the dock to get to their network home drive but that's a manual step they do. We will be changing to OneDrive eventually

djennings · ‎07-02-2021

Thank you for your response @dlondon That's good to hear network accounts are the way forward. I agree. Much faster. OneDrive is something we would look to implement also. All staff folders are redirecting to OneDrive

Qwheel · ‎04-28-2022

Previously bound devices to the domain.
When we got JAMF'ed, we moved to NoLoAD with local accounts.
First time logins do take some time and you can't just delete 'home directories' to wipe users. 5400rpm HDD and FD need to be thrown in the bin.

However, I haven't seen a keychain error in forever, nor have I seen the issue where a device is out of sync with the AD service and valid credentials fail to let the user log in.

I always thought it was funny entering (off the top of my head)
groups <username>
into terminal as it listed all the security groups for that user (I don't know the security implications of them being associated with users). That doesn't happen on local accounts. You get the bog standard local experience that any user would get, small amount of associated groups that the OS and installed applications expect to exist and be associated with the user.

dlondon · ‎05-03-2022

I did do a bit of work to investigate the long logon times. We have about 9 AD domain controllers and not all are reachable when on site. The others are in Azure. Microsoft clients recognize Sites so ignore the ones that are not in our "On Premises" site when here on our network - Mac's unfortunately get the full list from DNS and just work through them until something answers at logon. That to me explains some of the randomness in the times for first logon but not why it takes such a long time when creating a Mobile Account versus a Network Account

dlondon · ‎05-03-2022

Regarding the Keychain - one of my friends used to blow keychains away at login in the labs to get around issues with old domain passwords. Brutal but it's a way.

Jamf Nation Community

Shared iMac's Best Practices - Education