Solved: Re: Preauthorizing Apple Computers at Login Screen

scsc_tech · ‎05-27-2019

When a computer is sitting at the login screen, user authentication will not work and the machine will be kicked off the network without having a failback for machine pre-auth

We currently have a policy that has a condition for "Domain Computers" and gives them access to the corporate VN as well as a dACL for limited access to DNS, DHCP and AD.

This seems to work great for Windows machines, but our major problem right now is with Apple Mac computers.

Even though they are bound to AD, the Mac computers do not advertise themselves and being members of “Domain Computers” so this machine authentication policy does not work.

Does anyone have a recommendation for setting up a similar machine authentication policy for Mac computers so they do not get kicked off the network when sitting at the login window?

Possible solutions that I would like to avoid:

Giving pre-auth to all Apple Computers based on OUI MAC
Using MDM to set Login Window Mode (we have tried this in a limited capacity and MDM is unreliable and complex to set up)

Mike.Cifelli · ‎05-29-2019

Like @Jason Kunst mentioned machine certs and certain conditions could do the trick. Why do you want to avoid this:
Giving pre-auth to all Apple Computers based on OUI MAC

If you have profiling in use technically you could utilize the AD-Probe and setup a scenario like this:
Parent Policy (Policy1) leverages and uses AD-Host-Exists EQUALS true. Then create a child policy(Policy-1-Child) that matches based on OUI MAC or some other attribute you can narrow down to your apple computers. Then use the profiled endpoint group in your condition to meet your requirement. Then you would know that any host profiled as Policy-1-Child (or whatever you name it) is a member of AD and an apple comp.

View solution in original post

Jason Kunst · ‎05-29-2019

Isn't there a pre-auth ACL to work for all computers?
What about machine certs?

Mike.Cifelli · ‎05-29-2019

Like @Jason Kunst mentioned machine certs and certain conditions could do the trick. Why do you want to avoid this:
Giving pre-auth to all Apple Computers based on OUI MAC

If you have profiling in use technically you could utilize the AD-Probe and setup a scenario like this:
Parent Policy (Policy1) leverages and uses AD-Host-Exists EQUALS true. Then create a child policy(Policy-1-Child) that matches based on OUI MAC or some other attribute you can narrow down to your apple computers. Then use the profiled endpoint group in your condition to meet your requirement. Then you would know that any host profiled as Policy-1-Child (or whatever you name it) is a member of AD and an apple comp.

scsc_tech · ‎05-29-2019

Hey Mike

I appreciate this response. Its the first time someone has presented this as a possible solution.

I have not used AD-Probe before for profiling. Do you know the syntax? Is it AD-Host-Exists EQUALS true?

I checked my deployment and see that AD probe is enabled. But when I look an an endpoint detail, I dont see AD-Host-Exists as a attribute

Mike.Cifelli · ‎05-30-2019

Ensure that you are getting the host-name option from DHCP options. Check your sensor and ensure that option name host-name is configured.

scsc_tech · ‎05-30-2019

I am getting host-name in the attributes.

I tried profiling based on AD-host-exists equals true and I don't see the devices getting profiled correctly in live logs