The goal of this post is in a way to help future me but also to share what I’ve learned in the process in terms of troubleshooting these kinds of networking issues. Working from home makes it even more difficult to determine what the cause might be. These kind of issues can be caused by all sorts of reasons: network configuration, DNS resolvers, the VPN connection and its configuration, third party clients, updates to macOS, etc. Over the past few months, I’ve found myself having to troubleshoot a variety of DNS and VPN-related issues that a small subset of our users have encountered. Worst case scenario is the device will need to be backed up, wiped and OS re-installed to go through provisioning again. Or if you want to look at devices in a one-off situation, you can tell which secure token & volume owner users and their admin status. Once you’ve got these extension attributes scripts running in your Jamf environment, you can then start to run reports against computers that do not have secure token users and/or volume owner users and take steps to remediate. If an unsupported architecture, the result will be: If no user is found to have be a volume owner, the result will be: If a user is found to be a volume owner, the results will be displayed as: The Volume Owner Users extension attribute will report all Volume Owners on Apple Silicon Macs. Unsupported File System: (File System Type).If an unsupported file system is found, the result will be: If no user is found to have a secure token, the result will be: Non-Admins: user1, user2 (or “None” if none found).Admins: user1, user2 (or “None” if none found).If a user is found to have a secure token, the results will be displayed as: The Secure Token Users extension attribute will report all user accounts who have a secure token. I created two extension attributes to track Secure Token users and Volume Owner users a while ago but never wrote a blog post to cover them. Needless to say, it’s useful to track this information in Jamf Pro. Ideally, you don’t have any Macs like this in your environment. If you’re running newer versions of macOS, Apple has tried to close all gaps where a managed device might be configured without a secure token or volume owner user. Whether a user is an administrator or not, can also determine whether there are certain tasks that can be performed.Īpple goes into better detail in this enterprise focused deployment guide over the concepts of Secure Tokens, Volume Ownership and Bootstrap Token. If there are no users who have volume ownership, you may find yourself unable to perform OS updates. This can happen in at least two important scenarios that come to mind: OS upgrades and OS updates. Most recently, with Macs running on Apple silicon, Apple introduced the concept of volume ownership which determines which users are authorized to make changes to the volume. If there are no users who have a secure token, you may find yourself in a position where you cannot enable FileVault or unlock FileVault. I tried doing this to just add them, but it tells me there aren't any dns servers set and still removes the local stuff.With the introduction of APFS, Apple introduced secure tokens which allow users to unlock FileVault. Sudo networksetup -setdnsservers Wi-Fi (dnsIP1) (dnsIP2) Sudo networksetup -setsearchdomains Wi-Fi (domain1) (domain2) (domain3) This is what I have that works, but removes the local stuff: Is there a way to wildcard it so that it will pull whatever the machine gets locally + adds our company domains and DNS servers? I need this script to be universal, so I can't just add my gateway IP to it and deploy. The only way to fix it is to wipe all entries or manually add my gateway and "lan" as a search domain. I run the below, and it works, but every time I do that it wipes the gateway and search domain that I get from DHCP at home (.x and lan) Once that happens, my machine does not connect out to the Internet. I'm working on the script now (from home), but keep running into this weird issue. Not anything I can really change w/o causing a ruckus, so I decided to script just adding our search domains and dns servers to the machines via our MDM.
#CONFIGURE DNS SERVERS MAC JAMF SCRIPT MAC#
Our DHCP server does not like talking to our Mac devices at my company.