Month: January 2021

Unbind from AD – The Silent Way

In my last post I detailed how NoMAD Login 1.4 can be used to silently convert a Mobile account to a Local account using the demobilize function. If the Mac is bound to AD the bind will still in place so after the demobilize is completed you may want to remove the bind as well.

Again, this can be done silently and is very simple using an MDM like jamf.

Create a new policy and name something like AD Unbind
Set the Trigger to be Check-in
Set the Execution Frequency to be Once per Computer
Add a Files & Processes payload
File and Processes

In the Execute command section add the following:
Execute Command

dsconfigad -force -remove -u test -p test

This will remove the bind, the -u (username) and -p (password) can be anything you want.
Scope the policy to your devices and save.

On next check-in the Bind will be gone. To test grab a Mac that is bound to AD, open the terminal and force a check-in with
sudo jamf policy

You will see the policy run and then if check System Preferences > Users and Groups and click the Login Options and you will where the Bind domain use to show with a green dot will now just show as below.

Bind Gone

That’s it.

Mobile to Local – The Silent Way

Apple is encouraging Enterprise Mac Admins to shift away from binding to Active Directory and Mobile accounts. If you have Mac’s with Mobile accounts they can be converted to Local and there are some great scripts to do this. The one from Rich Trouton is very good and there is also a Swift app by Leslie Helou. However, these require user interaction if you want a silent way to switch there is a very simple alternative option.

NoMAD Login 1.4+ allows silent Mobile to Local conversion using the demobilize function and it’s very simple to deploy via jamf MDM.

Head over to the NoMAD Login page on gitlab and have a quick read about NoMAD Login:
https://gitlab.com/orchardandgrove-oss/NoMADLogin-AD/-/wikis/home

Download NoMAD Login here:
https://files.nomad.menu/NoMAD-Login-AD.pkg

Once you have download the pkg add it to jamf in the usual way create a new Policy and add NoMAD-Login-AD.pkg to the Packages payload:
Jamf Policy

Add to the Policy a Files & Processes payload:
File and Processes

In the Execute Command section add the following:
Execute Command

authchanger -reset -demobilize;defaults write /Library/Preferences/menu.nomad.login.ad.plist DemobilizeUsers -bool true;sudo jamf recon

This command will instruct NoMAD Login to demobilize which is NoMAD Login speak for converting from Mobile to Local and for good measure run a jamf recon.

The policy can be scoped to your devices as you require and run with the options you require for example at Check-in. The policy only needs to run once. You could make it a Self Service item and instruct your users to run from Self Service when they require.

Once run the user will require to log our or reboot and at next login the account will switch from Mobile to Local. You could request this in your policy or force a reboot but as we want this to be silent simply wait for the user to perform the action. The first time they do login after the policy has run this the login may be a little slower.

You may also want to collect account information about which type of account is on the Mac. This can be done via a simple Extension Attribute script.

Create an EA script using the below:

#!/bin/sh
NETACCLIST=`dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null`
if [ "$NETACCLIST" == "" ]; then
echo "<result>Local</result>"
else
echo "<result>Mobile</result>"
fi
exit 0

When a Mac next does a full jamf inventory update the account type will be collected and show:
Mobile or Local

If you have a mixed environment of Mobile and Local accounts set up the EA and let it run for a few days or weeks collecting device account type. Then create a Smart Group to show devices that have Mobile accounts and scope your Mobile to Local Policy to the smart group.

If the Mac is Bound to AD the demobilize will leave the bind in place. This can be removed when required by another simple policy which I’ve detailed in this post

Happy demobilizing.