Issues with MacOS X 10.15 and AD Binding

I’m getting reports that it is taking a long time for the BES Client to realize that the OU a Mac has been bound to in AD has changed. They tell me that they have rebooted the Macs several times, and it will typically take overnight for the change to reflect in the BigFix console.

The Mac itself on the other hand will reflect the change in a timely manner.

I had them check if things worked properly under Mac OSX 10.14 and their response was …

Yes, it seems to be unique to 10.15. 10.14.x worked as designed. I initially thought it was the new disk restrictions in 10.15 that were causing it, but that doesn’t seem to be the case. When you install the Agent, the AD path is analyzed correctly. If the device is moved in AD and rebooted the atrribute in the console isn’t updated till some time overnight.

They have enabled “Full Disk” access for the both on the local device and via an MDM profile (JAMF).

Anyone else seeing anything like this, or have any suggestions on how to get around this?

What is the Evaluation frequency of the property in question? It could be that the property is only evaluated once per day.

It’s supposed to re-evaluate the Active Directory Path property whenever the BES client restarts. Apparently things work fine until they get to MacOS 10.15 so it sounds like something changed in 10.15.

In their testing to date, they have been keeping the BES Client at 9.5.14.