Network users set as Administrators cannot allow OS updates

Question

Network users set as Administrators cannot allow OS updates

I have (now) multiple users reporting this issue.

We have an Active Directory domain that I set the users to log on with Network accounts (set to mobile accounts, because we had trouble with issues like this in Catalina, too).

I set the users to be part of a specific group allowed to be admins on the mac during the AD setup, I also set Domain Admins to be allowed to administer the computer.

This works for everything but system updates. They can unlock everything in System Preferences, authorize other things like installing software, etc, but when asked to authenticate for system updates it doesn't accept their username or password, nor an AD Domain Admins username and password, we have to come log on with the initial (local) Admin account's password.

Instead they get an 'Authentication is disabled' note in the login prompt and 'ok' is grayed out.

I'd hoped this was a bug in Big Sur that would be fixed, but it's persisting.

This may be specific to M1 Macs, since those are the only Macs running Big Sur in our organization right now that are joined to the domain.

Mac mini 2018 or later

Posted on Mar 23, 2021 8:36 AM

Reply

Answer 1

Mar 23, 2021 2:01 PM in response to a brody

We don't have enough macs in our domain to make JAMF worthwhile; and the 'mobile' accounts are on Desktops that remain in the building...I only started doing that when I first ran into this issue with FileVault through Sophos Cloud which is our institutions AV solution; non-Mobile network users cannot create an encrypted home directory under FV.

(There are only three IT people here for about 500+ users (of which ~30 are Mac machines joined to the domain)...we also just don't have the time to be software police, so admin rights are pretty routinely devolved to the end users.)

Doing more research on this I've found people talking about NoMAD (at r/macsysadmins on Reddit https://www.reddit.com/r/macsysadmin/comments/m7y9ib/not_renewing_kerberos_ticket_and_loosing_smb/ ) this may be a solution to this. They have local accounts but can utilize all the benefits of binding to the domain; for Macs we do it just for the SSO.

Reply

Answer 2

a brody

Level 10

85,314 points

Mar 23, 2021 12:14 PM in response to Bruce Johnson3

Generally I don't recommend giving Mobile users admin access.

In a company I work at, this has been a real problem trying to deploy file vault on systems that are integrated with JAMF Mobile Device Management. For developers at the company, we create a separate standard administrator account that in the terminal they can login as before applying a sudo command. For everyone else we have a controlled deployment system whereby only certain key users have administrative access.

We have run into this problem on High Sierra, Mojave, Catalina, and Big Sur.

Reply

Answer 3

a brody

Level 10

85,314 points

Mar 24, 2021 10:22 AM in response to Bruce Johnson3

Nomad isn't bad, but just remember, it only works when you are actively on the active directory network where the login takes place, and can get out of sync with any passwords changed while off network.

Reply

Answer 4

Mar 24, 2021 11:01 AM in response to a brody

The affected computers are all desktops in our facilities, so that's not an issue. We had so much trouble with laptops moving on and off the domain we long ago just went to treating them like personal laptops; if the users need to access domain resources they connect to the VPN and then mount network shares and access printers, etc using their AD credentials, but log into the computer with a local account.

Reply

Network users set as Administrators cannot allow OS updates

Similar questions