Applies to: Centrify Identity Service, Mac Edition
A previous requirement of the "Configure mobile account creation" group policy is that the AD user must be configured with a network home directory. This means AD Users who only have local home folders cannot be automatically converted to a Mobile Accounts via the Mobility Settings GPs.
Is there any method to convert a Network Account without a network home directory to Mobile Account during logon automatically? This is applicable for situations where the user does not need to have Home Sync features, but only needs a Mobile Account so that they can unlock FileVault.
As of Centrify Suite 2015 with Centrify Mac agent version 5.2.2 and above, AD users no longer need to have a network home folder configured to enable Mobile Account creation. See Option 1
below for details on the new option.
For more information on the different between Network Accounts and Mobile Accounts, see:
Option 1: (Recommended)
Update to Centrify Suite 2015 or above on the AD side and the Mac agent to 5.2.2 or above or higher on the OS X side. Upon updating the group policy templates, a new option will appear in the "Configure mobile account creation" GP:
If the "Create mobile account even if user does not have a network home folder" checkbox is enabled, the GP will skip the check for a network home folder and convert the user to a Mobile Account with only a local home folder. Note that under this configuration, no sync rules will be applied as there will be no destination folder saved with the user profile.
For more information on setting up Mobile Accounts via Centrify GPs, see:
Attached is an Apple Configuration Profile which can be used to convert any AD user to a Mobile Account upon login (regardless of where their home folder is located).
The mobileconfig will need to be installed as a "Device Profile".
To install the profile via group policy (Centrify User Suite 2014.1 / Mac agent 5.2.0 and higher), see the following KB:
To install the profile manually:
- Login to the Mac as Local Admin and download the mobileconfig to the Desktop
- Open the Terminal and run the command:
sudo profiles -I -F "/Users/[username]/Desktop/Mobility Settings.mobileconfig"
(Note: Alter the file path in the command accordingly if the mobileconfig file was saved to different location)
- Logout and login as an AD user
- The AD user should now be prompted to be converted into a Mobile Account.
If configuration profiles cannot be used, then the Mobile Account can also be created via command line.
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $username
(Replace $username with the actual username of the AD user)
For directions of usage of this command, open the Terminal and run: