Best Practice - AD Integration & Check

MBrownUoG
Contributor

Hey folks,

I'm relatively new to Jamf and taking over a system three years in development by our previous Mac admin, and I was wondering if anybody had any tips on best practice for AD enrollment and then checking for any Macs that drop off, with a mechanism for automatic re-join?

We have a setup at the moment that deploys an initial policy with a directory binding payload, and then a system whereby a script is run to re-bind the Mac should it drop into one of several computer groups based on a "joined to AD" extension attribute.

That extension attribute is proving troublesome however as it has stopped populating via our api script (case open with Jamf at the moment).

However while I'm poking around with that, I was wondering how other folks handle this? We're an educational institution with a large amount of labs, so I was hoping to streamline and make this as efficient as possible.

8 REPLIES 8

davidacland
Honored Contributor II

We have used the policy and EA route previously, but it is difficult to get it to run without issues. DS caching and other aspects can give inaccurate results.

We've had more positive results by using Configuration Profiles to bind recently so I'd recommend trying that out.

kerouak
Valued Contributor

Set up a smart group that captures the unbound macs, then run the rebind from that.. Ongoing.
That's how we resolved it.

MBrownUoG
Contributor

Thanks both. Kerouak, just to check, is your smart group using the "Active Directory Status" advanced criteria to filter the unbound Macs? And do you use a script to rebind?

kerouak
Valued Contributor

@MBrownUoG There is a Criteria "AD Connection Check" Then enter value "Unbound'

Use that one.

G'Luck!

MBrownUoG
Contributor

Hmmm, I seem to be missing that one?

The only criteria I can see on our system regarding AD is the built-in "Active Directory Status", and then our extension attribute "AD Member Test".

kerouak
Valued Contributor

oops, sorry mate, That was an EA that was produced a while ago.. I forgot :-)

We use our EA and the "Active Directory Status"

MBrownUoG
Contributor

Out of curiosity, David, you mentioned using configuration profiles instead of policies and EA... is there a setup guide i could have a look at kicking around anywhere? Do you configure one profile to join the Mac and then leave it at that, or do you have any checks in place to re-apply, etc?

mark_mahabir
Valued Contributor

Does anything here help?