User channel support for "mobile users"?

[SphtKr]

Hello, I'm getting to grips with this stuff so apologies if I've got any incorrect understanding. I just went to the trouble to setting up a Samba DC so I can have "mobile users" on macOS and be able to assign profiles to the user channel on such users. So my question is--before I go through the process of setting up a nanomdm infrastructure--does nanomdm support user channel registrations for mobile users? I'm not using DEP/ABM/ASM but as mentioned I have an "AD" infrastructure in place and am planning to join the macs to the domain.

Ultimately I'm trying to set up a small school-like environment where kids can use the same devices as adults but the kids' accounts get restrictions in profiles on the user channel but adults don't. Coming from a few years doing Windows sysadmin stuff with group policy, this seems intuitive--but it seems like the vast majority of Mac deployments are just doing 1:1 user:device setups where the device gets the profile for the user. I've been through all the stuff about the limitations of user channels for local accounts, which is a major reason I bothered with a Samba DC. I started out playing with Fleet DM but it seems too limited and I'm not clear it can even do user channel profile assignment... can nanomdm? I've read that it can if an enrolling local user gets registered properly, but not finding much on mobile accounts except #8 which suggests maybe this won't work (I'm not 100% sure what UserAuthenticate does, but it seems related to mobile user registration outside of DEP enrollment). Then again, there seems to be code present to do more with UserAuthenticate than just failing.

Am I going to be able to do the above with nanomdm (or MicroMDM)? Any tips/resources that'd help me out with my desired scenario? Fairly confident I can figure it out if it's possible but wanted to make sure it is possible before trying.

Thanks!

[jessepeterson]

Yes. NanoMDM can handle user channel MDM.

As you note there are a few different ways to get the user channel registered for use with the MDM server as of this time:

• The macOS "MDM user" — the initial local user doing the MDM enrollment gets registered for an MDM channel if configured to do so (in e.g. the enrollment profile). This includes the user that is newly setup during Setup Assistant if it's an ADE (DEP) enrollment. While this works for a non-directory user account it has limitations such as there can only be one of these users on the system and it cannot be changed without an MDM re-enrollment.
• Directory Users (vs. entirely local users) for macOS. This is where the UserAuthenticate comes into play. Every time a directory user logs in it can be registered with the MDM server. NanoMDM has code support for the "zero-length challenge" (i.e. no auth token) mode of the UserAuthenticate process for directory users however it is by default disabled. Note that this is part of the login process for the user and can have negative effects if anything is up with the MDM server—partly because of the login-waiting issue from days of yore.
  • Separate from the MDM issue I would highly advise NOT using directory services for managing users on macOS ("binding" to "AD" as it were). But, that's not a discussion really for this forum. :)
• Shared iPad users also use the user channel.

You could turn on the bool mentioned above, recompile, and start to get UserAuthenticate messages and MDM for directory service users logging in. Once they're registered you should be able to target the user channel enrollment ID for commands such as installing profiles and such. If this is something that you'd find use of, we could perhaps add an option to reference server to turn this ability on from e.g. the CLI.

Further if you were interested in the token generation we could consider a webhook/callback that hits a webservice for this validation of users (i.e. you want validate the provided token or only selectively manage some users or what have you). That's something we could also consider. But this doesn't exist at the moment.

[SphtKr]

Excellent information @jessepeterson , exactly what I was looking for.... I would have spent a week or weeks fighting it before realizing I needed to recompile with an option to get it to work.

Separate from the MDM issue I would highly advise NOT using directory services for managing users on macOS

Ominous... I've done this on a small scale in the past with Server.app/OpenDirectory/Profile Manager and it always seemed fragile in ways I could never put a finger on... I was hoping taking greater control with Samba would prove more robust but now I wonder. I'll at least tread slowly and test well I guess.

[jessepeterson]

Hello @SphtKr I created a PR in support of this, FYI.