Demobilizing and Unbinding Mobile Accounts with Jamf Connect and Jamf Pro
Jamf Connect connects local accounts to their network account in a cloud identity provider (IdP). For organizations transitioning from on-premise Active Directory to a cloud identity solution,Jamf Connect can also convert mobile accounts to local accounts; this process is called demobilization.
When you convert an existing MDM-capable mobile account to a local account through demobilization, the account loses MDM-capable status and its previous Active Directory-based network authentication authority. It is no longer eligible for user-level configuration profiles from an MDM, including Education Profiles used for managed classes in the Apple Classroom app.
Jamf recommends transitioning away from user-level configuration profiles before demobilizing mobile accounts. For more information about MDM enrollment methods, see MDM-Enabled Local User Accounts in the Jamf Pro Documentation.
If you plan to unbind accounts from Active Directory in addition to demobilizing them with Jamf Connect, you must make sure to demobilize accounts before unbinding them. This ensures that the Active Directory domain can be reached during the demobilization process.
You can use Jamf Connect's demobilization feature to convert mobile accounts into local accounts on macOS computers before unbinding from Active Directory with Jamf Pro. To ensure demobilization, unbinding, and network account connection with Jamf Connect succeed, you can use the following process:
Demobilizing accounts by deploying Jamf Connect with only the demobilization setting enabled
This involves having users log in to complete the demobilization process.
(Optional) Unbinding computers from Active Directory
(Optional) Enabling the Jamf Connect login window and configure the menu bar app
This workflow should not be used to enroll new computers or as a part of a PreStage enrollment.
If FileVault is enabled on computers, the demobilization process will be skipped if automatic FileVault login is enabled. For instructions on disabling automatic FileVault login, see the FileVault Enablement with Jamf Connect in the Jamf Connect Documentation.
General Requirements
-
Mobile accounts bound to Active Directory
-
Jamf Connect and familiarity with Jamf Connect login window settings
For more information about login window settings, see the Login Window Preferences section in the Jamf Connect Documentation.
-
Jamf Pro and familiarity with deploying configuration profiles, policies, and basic scripting
For more information, see the Policies and Computer Configuration Profiles sections in the Jamf Pro Documentation.
Step 1: Demobilizing Accounts
Depending on the number of computers you are demobilizing in your organization, this process may take one or more days.
Tracking Demobilized Accounts
You can use Jamf Pro to track and confirm successful account demobilization on computers. This will help you determine which computers can be safely unbound from Active Directory.
Step 2: (Optional) Unbinding Local Accounts
If Active Directory was only used to manage user accounts on computers, unbinding the computer from Active Directory is recommended. You can use the smart group created in Step 1 to track computers with demobilized accounts as the target for an Active Directory unbinding method. Any of the following can be used to unbind computers from Active Directory in Jamf Pro:
Configuration profile
Policy
jamf binary
Step 3: (Optional) Enabling Network Authentication with Jamf Connect
Configuring the Jamf Connect login window to enforce network authentication
Configuring the menu bar app to sync local and network passwords
Enabling the Jamf Connect Login Window
Configuring the Menu Bar App
You can continuously sync local and network account passwords by deploying a configuration profile for the menu bar app. For more information about password syncing, see Password Syncing with Jamf Connect.