Demobilizing and Unbinding Mobile Accounts with Jamf Connect and Jamf Pro

Jamf Connect connects local accounts to their network account in a cloud identity provider (IdP). For organizations transitioning from on-premise Active Directory to a cloud identity solution, Jamf Connect can also convert mobile accounts to local accounts; this process is called demobilization.

If you plan to unbind accounts from Active Directory in addition to demobilizing them with Jamf Connect, you must make sure to demobilize accounts before unbinding them. This ensures that the Active Directory domain can be reached during the demobilization process.

You can use Jamf Connect's demobilization feature to convert mobile accounts into local accounts on macOS computers before unbinding from Active Directory with Jamf Pro. To ensure demobilization, unbinding, and network account connection with Jamf Connect succeed, you can use the following process:

  1. Demobilizing accounts by deploying Jamf Connect with only the demobilization setting enabled

    This involves having users log in to complete the demobilization process.

  2. (Optional) Unbinding computers from Active Directory

  3. (Optional) Enabling the Jamf Connect login window and configure the menu bar app

Keep the following in mind when using this workflow to demobilize accounts:
  • This workflow should not be used to enroll new computers or as a part of a PreStage enrollment.

  • If FileVault is enabled on computers, the demobilization process will be skipped if automatic FileVault login is enabled. For instructions on disabling automatic FileVault login, see the FileVault Enablement with Jamf Connect in the Jamf Connect Administrator's Guide.

General Requirements

  • Mobile accounts bound to Active Directory

  • Jamf Connect and familiarity with Jamf Connect login window settings

    For more information about login window settings, see the Login Window Preferences section in the Jamf Connect Administrator's Guide.

  • Jamf Pro and familiarity with deploying configuration profiles, policies, and basic scripting

    For more information, see the Policies and Computer Configuration Profiles sections in the Jamf Pro Administrator's Guide.

Step 1: Demobilizing Accounts

  1. Use Jamf Pro or Jamf Connect Configuration to create a login window configuration profile for Jamf Connect that includes the Demobilize Accounts (DemobilizeUsers) setting.
    Note:

    The configuration profile created in this step can also include other Jamf Connect settings that you want to use after you complete the demobilization and unbinding process. These settings are ignored until the Jamf Connect login window is enabled.

  2. Use Jamf Pro to create a policy that does the following:
    • Installs the Jamf Connect PKG

    • Executes the following authchanger command after Jamf Connect installs via the Files and Processes payload:
      /usr/local/bin/authchanger -reset -preAuth JamfConnectLogin:DeMobilize,privileged
      
  3. Deploy the configuration profile and policy created in steps 1 and 2 to target computers.
  4. Request or prompt users to log in to their computers. Logging in will run the demobilization process in the background of the default macOS login process.

Depending on the number of computers you are demobilizing in your organization, this process may take one or more days.

Tracking Demobilized Accounts

You can use Jamf Pro to track and confirm successful account demobilization on computers. This will help you determine which computers can be safely unbound from Active Directory.

  1. Create a Jamf Pro extension attribute that uses the following script as the input type:
    #!/bin/bash
    
    NETACCLIST=$(dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null)
    if [ "$NETACCLIST" == "" ]; then
    echo "<result>No Mobile Accounts</result>"
    else
    echo "<result>$NETACCLIST</result>"
    fi
    exit 0
  2. Create a smart group that uses the extension attribute as membership criteria, similar to the following:
As local accounts on computers are demobilized, computers will be added to the smart group.

Step 2: (Optional) Unbinding Local Accounts

If Active Directory was only used to manage user accounts on computers, unbinding the computer from Active Directory is recommended. You can use the smart group created in Step 1 to track computers with demobilized accounts as the target for an Active Directory unbinding method. Any of the following can be used to unbind computers from Active Directory in Jamf Pro:

  • Configuration profile

  • Policy

  • jamf binary

Step 3: (Optional) Enabling Network Authentication with Jamf Connect

After accounts are demobilized, you can fully configure Jamf Connect to suit your organization. This may include the following:
  • Configuring the Jamf Connect login window to enforce network authentication

  • Configuring the menu bar app to sync local and network passwords

Enabling the Jamf Connect Login Window

  1. Confirm that your login window configuration profile includes your IdP's required authentication settings and any additional settings you want to use.

    For information about available authentication settings, see the Authentication Settings and Account Creation sections of the Jamf Connect Administrator's Guide.

  2. Use the authchanger command-line tool to enable the login window, by executing the following command via policy:
    /usr/local/bin/authchanger -reset -JamfConnect
The Jamf Connect login window will now be displayed to users the next time they log in.

Configuring the Menu Bar App

You can continuously sync local and network account passwords by deploying a configuration profile for the menu bar app. For more information about password syncing, see the Password Syncing with Jamf Connect.