Configuring AD with macOS mobile account

1. Automated Mounting Solutions:

• Apple Directory Utility
• Third-party MDM solutions
• Custom script triggered at login

Recommended Approaches:

• Implement Jamf Pro for comprehensive management
• Use connection scripts for consistent share access
• Consider cloud directory services for more flexible integration

I believe that what I'm trying to do isn't supported by Apple anymore as Apple had stopped supporting "Portable Home Directories" several years ago. This would explain the behavior I'm seeing.

I am able to sign into a Mac with AD and the home directory just gets created locally on the user's machine.  It isn't optimal, but it'll have to suffice.

Maybe there is a way to automatically mount shares on a Mac so that a user will at least see any network shares they have access to after logging in. I will investigate this approach.

Mike

Summary of Key Steps to Resolve:

1. Confirm the Profile Path in AD and ensure the SMB share permissions are correct.
2. Enable mobile account creation on macOS during login (System Preferences > Users & Groups).
3. Ensure the file server supports SMB and that macOS is using it.
4. Check macOS Console logs and permissions for errors when creating the mobile account and profile folder.
5. Ensure mobile account settings in Directory Utility are configured to map to the profile path.

By carefully checking these areas, you should be able to get macOS mobile accounts working with Active Directory roaming profiles.

When you bind a macOS device to AD, the system uses the mobile account feature to allow users to log in locally (even when disconnected from the network) and synchronize data with the AD server when reconnected. However, for the roaming profiles to work correctly, some specific configurations need to be followed.

Possible Causes and Solutions

1. Profile Path Configuration

• Check the Profile Path in Active Directory: Ensure that the Profile Path for the user account in AD is set correctly to a shared location on your file server. The path should be something like \\server\share\username.
  • Example: \\fileserver\profiles\%username%
• On macOS, you may also need to set up the profile path slightly differently, depending on the version of macOS and the file-sharing protocol (like SMB vs. AFP).

2. Ensure the SMB Protocol Is Configured

macOS, starting with macOS 10.7 and later, typically uses SMB (Server Message Block) for file sharing with Windows/Active Directory servers instead of AFP (Apple Filing Protocol), which was used earlier. Ensure that your file server is configured to use SMB, and that the file share is accessible via SMB.

• Verify SMB is enabled on your file server (Windows or NAS device).
• Ensure that the shared folder allows read/write access to the user or group the AD user belongs to.

3. Check macOS Login and Mobile Account Settings

• When you bind a macOS device to AD, ensure that the Create mobile account at login option is enabled. This ensures that macOS will create a local mobile account and map it to the AD user’s profile folder.
  • Go to System Preferences > Users & Groups > Login Options.
  • Ensure Network Account Server is showing your AD server and Create mobile account at login is selected.

4. Permissions Issues on the File Server

The issue could also be related to file share permissions. macOS needs the appropriate permissions to create and write to the shared folder.

• Check that the AD user has Full Control or at least Modify access to the folder where you expect the profile to be created.
• On the file server (if it's a Windows server), ensure that the share permissions are set correctly and that the NTFS permissions allow the AD user to create folders and files in the profile directory.

5. Verify the Creation of the Home Folder

• Check the File Server: After logging in with an AD user account on macOS, check the shared folder to see if the home folder was created but may be missing certain permissions. Sometimes the home folder gets created but with incorrect permissions that prevent syncing or proper usage.
• If the folder is not created at all, check the Console logs on macOS for any errors or messages related to profile creation.

6. Mobile Account Settings on macOS

You’ll want to make sure that mobile accounts are configured correctly. When the user logs in for the first time, macOS should create the mobile account and store the local home folder on the Mac. The roaming profile on the server should be used for subsequent logins and sync actions.

• Check the /var/db/dslocal/nodes/Default/users/ directory on the macOS machine to see if the user’s account is created as a mobile account.
• If macOS is creating only a local home folder and not syncing with the AD profile, ensure the following:
  • The home folder location is specified in the Directory Utility for the AD binding.
  • You can set the home directory path in the AD binding settings in System Preferences > Users & Groups > Login Options > Network Account Server > Edit > Directory Utility.

7. Use of dsconfigad for AD Binding Configuration

If you are using macOS’s built-in AD binding, ensure that the dsconfigad tool is correctly configured. This tool helps set key settings for AD binding, including the creation of mobile accounts and syncing the home directory.

• Run the following commands on macOS to check the AD binding configuration: dsconfigad -show

• Check if the home directory is set correctly in this output.

8. Check the macOS Logs

• Review the Console logs on the macOS machine during login to check for any errors related to the profile creation process. Look for any messages related to Directory Services, SMB, or AD.
• To view logs:
  • Go to Applications > Utilities > Console.
  • Filter logs for "DirectoryServices" or "AD" to see if there are any errors when the mobile account is being created.

9. Other macOS Configuration Settings

• Ensure that the user is not configured with a "local" home directory. You can check the Directory Utility settings, as macOS sometimes defaults to creating local accounts rather than using roaming profiles from the network.
• Consider using Apple’s mcx settings for further control over mobile accounts if necessary.