Jamf Nation Community

Yes look into Jamf Connect or NoMAD. I left the bind years ago and have been happy ever since.

I am in early testing phase of NoMAD, seems to work fine so far. Other than not getting the logo and background change working. And it's free, great for my budget.

@edickson Can you elaborate on your second recommendation. A work place like mine requires machines to be on AD because we want to allow everyone secure access to any machine. How is this not necessary for Macs. How do you validate different users?

First, I'm not really a mac guy but I would guess your issue is do to non-standard computer names. If you have something strange in the computer name like $ or %, or the name is to long for AD to process that can stop them from joining AD. I strongly disagree with Macs not needing to be added to AD.

@edickson

It is not really necessary anymore to bind Macs to AD, this will also solve a lot of headache for you (or your IT department as well).

Unfortunately for a lot of Enterprise it is very necessary to bind to AD. Or "just don't use a Mac is the answer"

@ammonsc Amen to that. Tired of the "just don't bind" end-all-be-all fix preached by far too many who just don't get it.

Tired of the "just don't bind" end-all-be-all fix preached by far too many who just don't get it.

With all due respect, it's whomever is mandating you be bound to AD that doesn't get it. There is a reason Apple made Enterprise Connect and have now integrated that concept into Catalina. Binding on Macs is a bad practice in all but certain situations and you should be pushing back on it.

School here. AD ties into literally everything. Zero problems on any Mac. Ever. YMMV.

@iJake

Also representing education. Binding works well with very few issues. Tired of every AD question turning into a stop binding argument. I get where binding is no longer needed in some environments - especially companies where 99% of their fleet is a Mac assigned to a single employee. Education environments are typically far from that.

I will admit there are quite a few variables to binding that can make a big different in how things work. Mobile accounts enabled? Use Windows UNC path for home? Posting the output of "dsconfigad -show" might be a good start when looking for help.

Don't want to derail this thread too much, but those of you binding: are you using filevault as well? Mobile accounts/AD gave us so many issues with filevault that we determined it was worth it to just cut the losses and stop binding. I am in the position where our Macs are one user devices and we are going more and more cloud these days, so its easier to get away without any bind.

@hdsreid We do not use FV at all for staff or students. I personally don't use it either.

Work in Education and we bind to AD and use FV. It works great! DOes make it harder for people to share laptops but that's just how Macs work.

If you want some free help, give me a call at 212.251.1211 I have nailed down the whole mac binding process without NoMad.

The certain situations I mentioned was in reference to shared machines. For anyone where that is not the case, what is your argument FOR binding? Either way, I would encourage anyone still binding to start looking at alternatives now. The writing is on the wall for Apple to completely deprecate it, IMO.

We're looking into the getting out of the AD binding world. it is the transition that concerns me the most TBH. That being said to manage binding I have EA's that try and detect bad AD binds and scripts that rebind automatically. I have scripts in Self Service that fix FV2 issues when users change their passwords not via NoMAD or Sys Prefs and we regularly have to deal with Keychain issues that result from the same thing.

@strayer Can you share your FV2 script?

@ammonsc this script requires you have a local admin account that you then pass the adminname and admin password for as variables in jamf.

#! /bin/bash

# referenced this article for some of the commands
#https://www.jamf.com/jamf-nation/discussions/26608/adding-user-to-filevault-using-fdesetup-and-recovery-key

adminName=$4
adminPass=$5
userName=$3

fdesetup remove -user $userName

if [[ "$userName" == "adminName" ]] || [[ "$userName" == "admin0417" ]]; then
    echo "Admin user is logged in."
    exit 1
    dialog="Do Not run this tool when logged in as Admin! Exiting!"
    cmd="Tell app "System Events" to display dialog "$dialog""
    /usr/bin/osascript -e "$cmd"
fi

echo "prompting user for Account Password"
userPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Enter your Current Account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)

expect -c "
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect" 

fdeList=`fdesetup list | grep $userName`

if [[ "$fdeList" == *"$userName"* ]] ; then
    echo "$userName Added successfully"
    dialog="$userName Added successfully"
    cmd="Tell app "System Events" to display dialog "$dialog""
    /usr/bin/osascript -e "$cmd"
    exit 0
else
    echo "Adding $userName to FV2 Failed"
    dialog="Adding $userName to FV2 Failed"
    cmd="Tell app "System Events" to display dialog "$dialog""
    /usr/bin/osascript -e "$cmd"
    exit 1
fi

Here is a link to my keychain password script which is in progress and I detail that more in this post