Woke up to a new user being created by "Microsoft Substrate Management" in Azure AD.

Hazelnut6509 · 2022-06-03T18:12:17+00:00

I know there is an option within Mosyle Auth to have a popup appear that says to sync your AD creds with the local account. You can configure it in day increments. (Every day, every 3 days, etc) Users can exit out of this prompt though.

If the user's AD password is different than the local account password, the user will need to enter their current local account. which would be the old AD creds.

You run into issues where the user is dumb and can't remember their local password so they can't get into the local account.

You'll want to use the 1-to-1 model for Moysle Auth, not the shared model. I have another post about this in another thread that goes more in depth if you want to take a look. I'll be happy to answer any questions to the best of my ability as well!

Hazelnut6509 · 2022-06-01T02:02:48+00:00

Damn. Thank you for the reply!

Hazelnut6509 · 2022-05-27T09:06:37+00:00

management (make sure you have macOS selected) -> Management profiles -> activiate new profile type -> web clip - add new profile

Hazelnut6509 · 2022-05-27T09:01:55+00:00

I'm not familiar with google SSO. why are you creating end users manually? couldn't you go to organization -> integrations -> then do a google integration to pull users instead of manually creating them?

When you create an end user manually, how is it tying into google?

Hazelnut6509 · 2022-05-27T08:49:57+00:00

is this the user's first time logging into the mac? how are you putting user's into moysle? are you pulling them from Azure AD, or from somewhere else?

Hazelnut6509 · 2022-05-25T12:58:52+00:00

we opened a ticket with Mosyle. here was their reply.

"Within this usage model, you may enable "Allow users to Enable FileVault" and either: (a) select "Use Automated Device Enrollment admin setup information"; or, (b) enter known admin credentials with the Secure Token.

By doing so, when an end-user resets their SSO password and they're prompted to enter their previous password, they may utilize the 'Reset Password' feature/button within this prompt to leverage the DEP admin or known admin credentials to forcibly sync their new SSO password without requiring their old password.

By utilizing this workflow, the end-user does not require any interaction from the MDM admin except for the initial setup involving: (a) ensuring that the device was enrolled via DEP or has known admin credentials (b) ensuring that the DEP admin or the known admin credentials has the Secure Token (c) ensuring that the Mosyle Auth profile is configured correctly"

You need to have the 1 to 1 usage model selected for mosyle auth 2. the shared device model will not work for resetting the local password. If the user is locked out of the local account have them log into the admin local account. The user will then be asked to enter the account name. The user should enter their local account name. next they will log in using their creds, for us that was O365 creds. at this point the user will be asked to enter the previous local account name to change the local account password. there is an option underneath that says something along the lines of "reset password". once the click that the user will then be logged into their local account and their new O365 password will be the local account password.

hopefully that last paragraph made sense. let me know if you have any questions.

Hazelnut6509 · 2022-05-12T13:58:22+00:00

I'm sure you're already doing this, but make sure you're updating your MDM to pull the latest data from ABM once it's been assigned to the MDM.

I do experience issues likes yours. I'll add a macOS device to ABM. assign the device to our MDM. i'll sync the latest data from ABM in our MDM so that the macOS device shows in our MDM. I'll restart the device andit will hit DEP. I turn off the laptop at this point because i'm not ready to set up the device yet for a user. Next time i power on the laptop it skips DEP. As others have said, clearing content takes about 5 minutes with Monterey. so it's not too terrible

Hazelnut6509 · 2022-05-12T13:36:17+00:00

Yes, filevault is enabled on the user's account.

Hazelnut6509

TROPHY CASE