The “it just works” magic doesn’t apply in business environments
Android doesn’t allow that either nowadays. It’s just a matter of security. You wouldn’t want an unauthorized person to connect you to an insecure network or let them stop you from receiving important messages. Whether it’s worth it to force the user to log in is debatable though.
I honestly don’t see a reason why I would need to connect to a WiFi from the lock screen.
For personal usage, there isn’t
In a business (remote) environment, it’s extremely useful so the device can connect back with the MDM console so I can (easily) get the employee back into their laptop after they lock themselves out of the account.
Without it, I have to do annoying shit like walking them through dropping into Single-user mode or some shit. Very annoying and a 5 minute process just became like a 1-2 hour ordeal depending on user skill level.
I’m just curious here, but what are your Mac users doing to lock their accounts so often that this has become such a recurring pain point?
I feel for you, ever since I got approval to move all our mac’s to kandji for management, I have less issues reported from Mac users than windows users.
the larger a company the more cases you’ll have in absolute numbers, even if the relative numbers stay the same
I understand and agree with you but I’m a bit confused, is that in reference to part of my comment?
you asked why it happens so often, I provided a possible explanation.
just yesterday we had a similar case where a usb ethernet adapter wouldn’t work on a locked device due to a similar issue, even if that one may be more logical.
especially when you have to follow an outdated password policy where people have to change their passwords at regular intervals you’ll have such cases more frequently than when they only need to set it once until a suspected compromise.
Thank you for the context.
I honestly expected that to be exactly that, overly alternating (at least from a stand point of majority of users) passwords. I was just curious as the grievance felt very case specific.
That’s certainly a problem I thankfully do not encounter, our Mac users use their O365 logins just like our PC users. If they forget it, they don’t need my help changing or checking it. I haven’t encountered the wifi at login issue, though. That probably piqued my curiosity the most. Our Macs use web auth for login by default (with option to use locally cached password instead) and it requires an internet connection to work. If the mac’s couldn’t/didn’t connect, most wouldn’t be able to login. I could absolutely see this being an issue in a new place where no internet connection has been established before the issue, like a hotel or airport.
They all have a JIC hidden local account too, though. If OPs MDM tools include this option, it could be helpful for the cited scenario(s)
I typed an ironic comment into my last answer about exactly such a scenario but deleted it, assuming a local login would still be possible. Like a domain login where on a failed attempt to establish connection during login would load a local profile that would be synced upon connection.
Yea, I have practically infinite options on Windows
But on MacOS those options are limited and rigid, this is why Windows will probably never be dethroned in the business space lol
You could turn on the guest account
Without remote access and the user locked out that can only be done through the MacOS recovery mode, if I’m already walking them through that mess might as well just reset their main account
Before they get locked out, I mean of course
deleted by creator
why not just use jamf or something
You still need an Internet connection…
I teach computer engineering, and Macs have gone from wonderful to the bane of labs in the last decade. Students never have the right dongle, the permissions are a mess, compilers are locked down. It’s sad actually. Macs took over cs departments and a lot of tech usage, but they seem to have entirely turned their back on that audience
Apple is heavily incentivized to lock down the macOS platform and infringe on your privacy in the process.
And lord forbid you want to run an unsigned app.
We went from Macs being “immune” to malware to Macs being infested with it to this. Walled gardens have their benefits, but flexibility and choice aren’t among them.
There’s an open source audio tool I wanted to use, but the unsigned executable got bounced. It turns out I’d been fooled into downloading a malware-infested version of it. In that single case I appreciated it.
The “it just works” magic doesn’t apply
in business environmentsIt’s a thing of the past anyway. Their software is neglected and buggy. They can’t keep it well polished up because each release needs to have more slop in it.
The first time I saw IT tooling on Windows (as a Mac / Linux guy), I was floored. Comparing that to Apple Remote Desktop (which hasn’t evolved in two decades) made me realize how far behind Apple was / is in these areas.
Heh yea, “Windows is an enterprise OS with consumer features, MacOS is a consumer OS with (half-assed) enterprise features” ~Me
At least Linux will let you get there, might not be out of the box, but you can configure your way there, MacOS is very rigid when it comes to enterprise management
Maybe Apple didn’t get the memo that we are all using TLS for everything nowadays.
Are you using JAMF or another management environment? Devices automatically enroll once purchased and pull down the management settings upon boot. It’s essential for enterprise environments.
We are, but it’s not very helpful when the device can’t reach out to the MDM servers because it’s become disconnected from the WiFi for one reason or another
Oh and apparently you can’t use an Ethernet USB dongle from the lock screen either, thanks Apple so wonderful and secure/s
You’re doing something wrong. If the devices are pre-enrolled in JAMF and you’ve configured PreStage Enrollment properly, they’ll automatically connect to corporate wifi on boot without needing a local user account or manual wifi connection.
Remote only company, there’s no “Corporate WiFi”, it does have a fallback WiFi profile where I have the employee start a hotspot on their phone with the matching info
But it doesn’t always work on MacOS, almost like it stops trusting it if it’s not regularly connected to or something.
Either way, no matter how you dice it, MacOS SUCKS on the business management side, Windows will let you do anything you want in any number of ways. MacOS is rigid and inflexible, the fact you need specific MDM platforms that focus on only MacOS/iOS to be any good should tell you that
“Windows is an enterprise OS with consumer features, MacOS is a consumer OS with (half-assed) enterprise features” ~Me
I previously worked for a remote only company with similar roadblocks. The best option I found was to have the Macs shipped directly to a tech to be configured on their network (with their network profile configured in pre enrollment for ease of use) then ship it to the end user afterwards. The end users liked the “white glove” service.
I worked for many years in endpoint management and actually like Macs. They’re not difficult to manage once you get the hang of it. In this oddly specific scenario, though, Windows would definitely be easier because the users could just login with their 365 account for provisioning.
Yup, that’s pretty much the flow I’ve had to put in place, I actually figured out how to pull off the MacBook box “seals” without ripping them and then reseal it when we’re done with so the employee feels like it’s brand new LMAO
I worked for many years in endpoint management and actually like Macs. They’re not difficult to manage once you get the hang of it.
Idk bro, seems like Apple considers all their business tooling and support as an after thought, perhaps it would be easier if we were all in on either/or but we have a 50/50 Windows/Mac/Android/iOS mixed environment and all the device management platforms seems to fall in to 2 categories: “Good with all devices except Apple” or “Good with Apple devices and sucky at everything else”
Most in other mixed environments seem to settle into having 2 platforms, JAMF for Apple and something else for everything else. My funding request was denied for 2 though lol
What’s this gotta do with business environments? Is everybody with a Mac now a “businessman”?
In a business environment a common thing is a user getting locked out of their local user account.
Resolvable by issuing an unlock account command remotely and maybe a reset password. Kinda hard to issue those commands remotely if the device isn’t connected to the network, but on Windows I can have them connect to any WiFi network and it’s back online in the MDM console. MacOS otoh won’t let you connect to WiFi from the lock screen or even let you use an Ethernet USB adapter
That’s only when FileVault is on, though, yeah?
OK, so the opposite of Mac businessman. Good to know. Thank you.
They probably don’t wanna deal with providing a secure way to interact with a captive portal.
Captive portals need to die at least current iplementation, they don’t work in any but the most happy scenarios.
Agreed. They are junk. Esp the clowns that used 1.1.1.1 for them.
Isn’t that Cisco’s fault?
Cisco definitely encouraged it with their examples.
But the admin should have known better when setting up their environment.
That sounds like a pretty rare problem
Why can you not shutdown or restart on the locked screen on windows and at least some linux distributions? The button is there, but its only used to suspend the pc
?
You totally can, on every computer I’ve ever owned running Windows since NT (and most running some variant of Linux). The only reason it would not be there is if some turkey disabled it in Group Policy for some reason. The power button offers you power off, restart, suspend, and hibernate if you have hibernation enabled.
Could this be different depending on what type/brand of pc you have?
I remember being annoyed at having to log in to shut down my laptop after accidentally opening it
If it appeared to turn on just by opening it, it wasn’t off in the first place. It was in sleep.
Your system integrator may have disabled it for some damn fool reason by default, probably to make it appear that the machine “boots” faster if the user is bamboozled into never truly turning it off. But if you have administrator access you can always turn the option back on.
