Macs, Jamf and Azure

Okay some of you may have encountered this issue, I’m aware there’s other College lecturers and quite a few sys admins here.

Our campus, like pretty well every campus in the country, has been put onto a more secure footing. Even our technical staff do not have admin status on College issued devices. All supplied machines are profiled via Jamf and local logins are followed by Azure logins. Only then are a set of college resources made available including limited sets of applications and access to Teams and Outlook etc.

Mostly, this is just an irritation, I have to have a MacBook which I just use to check college email and Teams. But it runs fine.

We have hit an issue in our lab however. We have a set of Studios with 4K displays for the students to work on. However, on startup an issue has emerged. Azure login creates a user account on that Studio, and when a student logs out, all the Studio presents is the set of existing local logins. That is, it doesn’t revert to the Azure login. Restarting doesn’t help. An admin has to login, logout for Azure to present the login window. We tried setting the Studio to present user and password rather than set of users at startup. No difference.

Any thoughts or experiences here?

This discussion may be similar to what you are experiencing. In their scenario it was a lack of permissions to unlock FileVault that caused the startup login problem (System Prefs > Security & Privacy > FileVault). Worth a look.

If not…

Let me first state that I do not have direct experience with this exact setup. I will proceed with the assumption that this is not caused by a known software bug or conflict between products.

What you describe almost sounds like Azure is not fully launching or taking effect until an admin signs in and authenticates with their higher level of permissions. Sort of like the automatic front door of a supermarket being turned on, but won’t open because the manager did not unlock the deadbolt with their key. Does that make sense?

Alternatively, this reminds me of the permissions lock requested by apps/actions that require you to approve them in Security & Privacy (System Prefs > Security & Privacy > General > one-time items that appear below “Allow apps downloaded from:”) such as when an app first requests to use the camera or microphone. In rare situations an app would prompt the user to approve it in Security & Privacy, but there was nothing at the bottom of the General tab to approve.

Also, I have seen a few cases where a setting appears to be in one state, but is actually in another, or even null due to a corrupted settings file. In these rare cases, I try intentionally changing the setting to something else, saving, restarting the computer, and changing the setting back to what is desired (and maybe another restart).

Forgive me for possibly misleading you with this tangent, but my point is that sometimes these security permissions do not show themselves in the interface and may require a forced toggle or command line nudge by an administrator account.

3 Likes

Thank you, Security and Privacy is a good route to check through.