Applies to: All versions of Centrify DirectControl on Mac OS X.
How can Mobile Accounts be automatically created for AD users logging into a Mac system joined to the domain
in Zone Mode?
- Starting with macOS Sierra, you won't be able to create portable home directories. Mobile home directories, which have networks accounts that are cached locally, can still be created. However, their home folder will no longer sync with their network home directory.
- On older versions of Centrify, a requirement of the Mobility Settings GPs is that the AD accounts MUST have a network home folder configured in order for the creation policy to kick into action.
- It has been discovered that in environments where Parallels has been installed, this can corrupt the behaviour of OS X's Mobile Home Syncing. For more information, see:
To create a Mobile Account via Group Policy:
- Decide on the context of the Mobile Accounts:
- If the Mobile Accounts will be requiring to sync their home folders between the Mac system and a network home folder location, use the following KB to set up and verify that the AD user is configured with a network home folder
- If the Mobile Accounts do not need any syncing and only a local home folder is sufficient (for example if the user only needs to be a Mobile Account for FileVault purposes), see the following KB for details on the new setting available in the GP:
- In a GPO that will apply to the user accounts, enable the GP at:
User Configuration / Centrify Settings / Mac OS X Settings / Mobility Settings / "Use version specific settings"
- Navigate to the "Mac OS X 10.x Settings" folder(s) that correspond to the version(s) of OS X the GPs should apply to and enable the policy at:
User Configuration / Centrify Settings / Mac OS X Settings / Mobility Settings / Mac OS X 10.x Settings / "Configure mobile account creation"
- Check the [ Create mobile account when user logs in to network account ] box.
- Check the [ Create mobile account even if user does not have a network home folder ] box (If needed)
- Check the [ Require confirmation before creating mobile account ] box. (If needed)
- If the user will be using OS X's Mobile Home Sync feature, select "Create home using: network home and default sync settings"
- If the user does not need Mobile Home Syncing enabled, select "Create home using: local home template"
- Save and apply the GPOs.
- Go to the Mac and login as Local Admin
- Open the Terminal and run:
- Logout of Local Admin and login as the AD user, if the confirmation option was selected, then they should now receive a prompt to create the Mobile Account. Alternatively, look in System Preferences > Users & Groups, the user should also be listed as "Mobile"
For tips on configuring additional syncing options for the Mobile Accounts, please see the following KBs: