Caching a macOS mobile AD account remotely

June 10, 2018
macOS

Today I had to help a remote user wipe their macOS workstation for a fresh start. Fortunately my team has DEP and MDM set up so we were able to get up and running pretty quickly. Unfortunately, our DEP configuration is still rough around the edges; we don’t have NoMAD Login+ yet, so initiating AD auth remotely is complicated as the VPN wouldn’t be connected until after a user is logged in.

But today I learned a new trick. Thanks to Rich Trouton’s article Creating AD or OD mobile users from the command line I found out that it is possible to cache a mobile account and the associated password via terminal. The steps to do so are as follows:

  1. Log in as a local user
  2. Make sure Active Directory is reachable. (i.e. connect to the VPN)
  3. Run: sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username where username is the exact username of the mobile account you want to cache.
  4. Enter the username and password of a secure token admin (for 10.13.x+. as prompted)
  5. Sign in via terminal as that user via login or su - username. Have the user enter their password.
  6. Sign out and in as that user at the login screen.
  7. Profit!