Today I had to help a remote user wipe their macOS workstation for a fresh start. Fortunately my team has DEP and MDM set up so we were able to get up and running pretty quickly. Unfortunately, our DEP configuration is still rough around the edges; we don’t have NoMAD Login+ yet, so initiating AD auth remotely is complicated as the VPN wouldn’t be connected until after a user is logged in.
But today I learned a new trick. Thanks to Rich Trouton’s article Creating AD or OD mobile users from the command line I found out that it is possible to cache a mobile account and the associated password via terminal. The steps to do so are as follows:
- Log in as a local user
- Make sure Active Directory is reachable. (i.e. connect to the VPN)
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n usernamewhere username is the exact username of the mobile account you want to cache.
- Enter the username and password of a secure token admin (for 10.13.x+. as prompted)
- Sign in via terminal as that user via
su - username. Have the user enter their password.
- Sign out and in as that user at the login screen.