Mobile account/ FV2 login times

Matt_Ellis
Contributor II

So i am trying to improve the start up times of our AD bound macs. These systems have filevault 2 enabled and the main users account is a mobile account. Right now im seeing login times of 1min 42s when the system is off the network and 43s when its on the network.

I was under the impression if its a mobile account the system should look locally for the credentials first and not actively seek out a DC. I have disabled the option "Allow Authentication from any domain in the forest". seemed to have helped a bit with start uptime's.

Anyone else have any suggestions?

Laptop:
OSX El Capitan 10.11.4
MacBook Pro (Retina, 15-inch, Mid 2015)
Processor: 2.8 GHz Intel Core i7
Memory: 16 GB 1600 MHz DDR3
GFX: AMD Radeon R9 M370X 2048 MB

AD Environment
Server 2008 R2 systems
Dual DC's in local offices

15 REPLIES 15

tthurman
Contributor III

You could turn off Automatic Login. This would create a "Duo-Login" process.

When you boot the machine, you would need to unlock the drive with a valid account. It would then take you to a login screen, where you could log in via cached credentials.

If I remember correctly, it's because the system is trying to access the network before having network availability.

sudo defaults write /Library/Preferences/com.apple.loginwindow.plist DisableFDEAutoLogin -bool YES

(You may have already looked at these options.)

Regards,
TJ

AVmcclint
Honored Contributor

What's probably happening is that when the user authenticates against the locally cached password, it then tries to mount the user's network home directory (as it was told from the user's AD record). When it's off the network, obviously it won't be there, but the computer will keep trying and trying until it gives up. I see the exact same thing with our Macs.

Matt_Ellis
Contributor II

@tthurman i cant turn off the SSO for filevault or my users will go nuts. @AVmcclint The thing about the network home directory is there isn't one. unless AD is passing there personal file share. wonder if there is away to disable that from happening. I did try this and it sped up the login when on the network, but not much when off the network "dsconfigad -sharepoint disable"

i wondering if there is a timeout or something i can alter to lower the amount of time it try to connect to that folder.

AVmcclint
Honored Contributor

I'm curious, how did you create the users as Mobile Users if they don't have a home directory specified in AD? Whenever I try to do that, the user is not permitted to login to the Mac for the first time. Once the home directory is defined and the user can login and get created as a Mobile User, it caches the info and being a Mobile User assumes that sometimes the home directory might not be available and allows the user to login just fine... but it will do everything it can to look for it at login.

As for the issue at hand... Have you looked at the system.log on the computer to see if there are any errors or repeated attempts to do something after boot up?

tthurman
Contributor III

@Matt.Ellis

See, that's what I thought. Until we showed the difference to the Powers-At-Be. They were like, uh, the faster one. Always.

--
TJ

Matt_Ellis
Contributor II

@AVmcclint We specific a home folder in ad for all users im guessing thats what its using as the "Home directory" but we also have google drive and dropbox. So no one uses them.if i can suppress that from trying to connect or cut down on the minute and 10seconds time out. im thinking that might speed it up since the actual home folder is local.

bainter
Contributor

@Matt.Ellis What are the sync options set in System Preferences-->Users & Groups-->(current.user)-->Password-->Mobile Account:Settings? Ours' is set by Group Policy via Centrify as is whether network home folders would automount and that should be disabled.

As a test, check to see what effect turning off WiFi has on the login times when offsite.

Matt_Ellis
Contributor II

So i tested with the mobile account settings set to "Manual" and to not sync any folder at login / log off.

Before i did that i was seeing the following
On Ethernet login 43 Seconds
Off ethernet login: 1min 42 Seconds

After change
On Ethernet 35 seconds
Off Ethernet 1min 39seconds

Funny thing is after i went back in to the settings the applications and parallels applications re-checked themselves.

964b682ffff341e5a82f3c4959d51f42

bainter
Contributor

Well, that's not much of an improvement. Our settings are set in Centrify group policy, so I can't adjust it.

Matt_Ellis
Contributor II

@bainter Im going to try and and see if there is plist or some command line way i can tell it to just not try for the home folder at all. since we dont use them.

AVmcclint
Honored Contributor

If the users never use their network home folder, have you looked at unchecking this option?
6f31501ad7194922a9be457514ed27f5
I've never disabled that option myself because every Mobile User environment I've worked in uses their network home folder.

zedd
New Contributor II

@AVmcclint In our environment we always uncheck that box. Never used it and it doesn't really matter, we instruct our users to "Connect to Server" if they need the home directory. From what I have seen most Mac users know how to do this and don't complain about not having their home directory mapped.

We have a similar setup as well, FileVault 2 enabled with Mobile Account and boot time is around 20 - 30 seconds with out that option checked.

jhalvorson
Valued Contributor

Have you tested setting the DSbind time out to a shorter value?

defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 18

The above will set the timeout wait period to 18 seconds. (Last I recall reading in the forum was that the Default value by Apple is 120 seconds. Not sure if that is still true with 10.11.)

In our environment, setting it to as low as 5 will work. But going too low can effect how a wired, on campus device authenticates.

There's more info about this setting here:
802.1X Wireless Login Window Authentication-Slow Login
Login window delay after logging in

Matt_Ellis
Contributor II

@AVmcclint and @jhalvorson ill give both those options a shot. anything to get it from a 1minute and 40 seconds lol. ill post updates today as i get a chance to test those out. thanks

Matt_Ellis
Contributor II

@AVmcclint and @jhalvorson you two are the best.. on network performance is 35seconds , but the biggest is off network from a cold boot is now 58seconds compared to 1min 40 seconds. its still trying to mount the home folder for some reason.

Im going to test on a system that is bound initially with those options. and see how fast it is.