Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.
138

About Enterprise Connect

Posted: 11/6/15 at 2:03 PM by rjlemmon

Hi all,

This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.

Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:

Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.

It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.

Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.

There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.

You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.

I'll be following this thread, so please respond with any questions.

138
CCA Badge CCE Badge CJA Badge Integrator Badge

Posted: 11/6/15 at 2:10 PM by davidacland

Hi Rick,

Thanks for offering up the information. As you can imagine, we have customers with AD challenges over here in the UK too so U.S based only isn't all that great.

Posted: 11/6/15 at 2:10 PM by bpavlov

Hi @rjlemmon,

It seems like Enterprise Connect has a pretty good feature set. Is there any reason that Apple has opted to not include this in the base operating system or even make it available via the Mac App Store?

CCA Badge CCE Badge

Posted: 11/6/15 at 2:11 PM by hkabik

My biggest question about this product is it's potential usefulness in terms of DEP deployed Macs.

The biggest thing holding us back from a DEP implementation is AD integration. We have many remote users who would be unable to connect to the domain to create mobile accounts. Even for users on our domain the initial account created is still a local account so there would still be some polciy magic involved to switch them over to a bound mobile account.

Would this allow us to deploy using DEP and offer our users all of the benefits of using the AD credentials without actually having to bind to our domain? How exactly does this handle the linking of their local account with their AD account? does it enforce our AD password requirements on the local account as well or would that still have to be managed by profiles?

CCA Badge CCE Badge

Posted: 11/6/15 at 2:12 PM by hkabik

@bpavlov

The price is over $5K so it's really not suited for the App store.

CCA Badge CCE Badge CJA Badge Integrator Badge

Posted: 11/6/15 at 2:18 PM by davidacland

+1 for @bpavlov's question. As it's purpose is to improve AD integration, I'd be interested to hear the reasons why it's not included in the OS by default.

CCA Badge CCE Badge

Posted: 11/6/15 at 2:18 PM by hkabik

CCA Badge

Posted: 11/6/15 at 2:23 PM by mm2270

@bpavlov, @rjlemmon may have a more direct answer for you, but from the presentation I attended on Enterprise Connect, although it wasn't stated explicitly, I got the distinct impression this tool was born out of the need the Apple enterprise support team felt was needed from listening to what was probably years of complaining from customers about how poorly Apple's OS works with AD and other LDAP environments.
All this is to say that it doesn't sound like Apple's upper management is interested in integrating this into the OS at this time, but gave the enterprise support folks the freedom to create, develop and promote this tool to help address this need.
This is all just speculation based on "reading between the lines" if you will. It was what wasn't said on the call that spoke louder than what was mentioned.

@hkabik We are in a similar boat. I don't anticipate ever being able to convince management here to move away from cached AD local accounts for our managed/company owned Macs. DEP makes that very challenging because of how its designed around setting up a local account. DEP is really more about using the OS OOB and getting it enrolled into management, rather than getting them joined to AD or using AD accounts.
While I can see the possibility of it still being done to use AD, boy it would be incredibly tricky. Policy magic indeed!

Posted: 11/6/15 at 2:27 PM by rjlemmon

@bpavlov - Enterprise Connect is a product of Apple Professional Services. Please file a feature request or a bug if you’d like to see it added to the operating system or distributed in the Mac App Store.

@hkabik - In your case, you'd use Enterprise Connect after you've gone through setup via DEP and make a local account. You'd use a profile to manage password policy on this local account. You'd then launch Enterprise Connect and sign in with your AD account. Once you did this, Enterprise Connect would get you a Kerberos TGT, check your AD password, etc. Enterprise Connect does nothing to make your local account a mobile account - it just lets you do some AD type things like Kerberos from a local account.

Posted: 11/6/15 at 2:27 PM by bpavlov

@hkabik That may be the price, but it doesn't answer why it's not included in the base OS. Obviously Apple has support for other standards widely used in enterprise already built-in to OS X so why not include this in the OS? From Microsoft, I expect them to break out feature sets by having different versions of Windows. But I don't expect that from Apple. I'm sure there's a good reason though.

Posted: 11/6/15 at 2:27 PM by AVmcclint

I'm responding so I can be updated on the thread as more info comes in.

CCA Badge CCE Badge CUG Badge Integrator Badge

Posted: 11/6/15 at 2:31 PM by bentoms

@rjlemmon Can I just say it's awesome to have Apple reaching out some more about this.

Peter Beninate also opened an #enterprise-connect channel on the macadmins.org Slack.

But I'm sad at only US & echo @bpavlov's comments that this should be in the OS.

I'm one of the maintainers of ADPassMon, which was written to overcome some issues that EC would address.

CCT Badge

Posted: 11/6/15 at 2:33 PM by tnielsen

"Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount."

I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login. Mapping drives automatically is pretty simple.

Unless it allowed for me to manage specific variables on the mac (group policy style), I don't see the value. 5k for this? Sounds like a money grab to me. This kind of stuff should be included in the base OS.

Posted: 11/6/15 at 2:33 PM by bpavlov

I supplied feedback at http://www.apple.com/feedback/macosx.html to have this included in the OS. If I should be supplying the feedback somewhere else, please let me know. Thanks @rjlemmon for reaching out to the community like this.

CCA Badge

Posted: 11/6/15 at 2:39 PM by mm2270

@tnielsen

I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login.

Yes, because Mac users log out and log in all the time, don't they.
Sorry, but while I agree maybe this shouldn't cost $5k, being able to be notified of pending password expiration while logged in is not exactly useless, so I can't really agree with you there. Also, it shows you your account information within a menu item, so its pretty handy for users to be able to access this.
Lastly, I got the impression professional services is open to adding new features to the product as they go. Its kind of new.

CCA Badge CCE Badge

Posted: 11/6/15 at 2:39 PM by hkabik

Yeah, I'm really going to have to see this thing to get my head around what the $5K value is. I'm not seeing anything I don't already get from ADpassmon, Kerbminder and some very simple scripting.

I'm not writing it off at all, I'm just not quite getting it yet.

One way or the other I think it's great that Apple is actively communicating with us on something that has been a bit of a mystery to a lot of us. Thanks! Can't wait to hear more about it.

CCA Badge CCE Badge CUG Badge Integrator Badge

Posted: 11/6/15 at 2:44 PM by bentoms

@hkabik Those of us whom write those tools you mentioned (& glad you use them :) ) would be happy to see this as an OS feature... we'd probably still tinker.. but the need would be lessened.

CCA Badge CCE Badge

Posted: 11/6/15 at 2:50 PM by hkabik

@bentoms

We'd hate for you to get bored. ;)

Plus I like your price tag better than their's so far. :P

In all seriousness your fork of Adpassmon was world changing for password management here... so while I'm all gung ho for an Apple product to retire the need for your extra curricular work, WOW am I appreciative for the work you've done.

Posted: 11/6/15 at 2:52 PM by rjlemmon

All, thanks for all of the questions and feedback. I'm responding as quickly as I can, so please be patient :)

@tnielsen - It is true that current AD integration allows you to change your password at login. However, this depends on two things. First, your user must actually log out and log in to be prompted. Many users don't do this on a regular basis. Logouts consist of closing the lid and logins consist of entering a screensaver password. Also, the user must have a network connection at the login window for this to work. Unless you are using Ethernet or system level wi-fi authentication, many users won't have this in place.

Regarding network shares, there's a variety of ways you can mount network shares (login items, scripts, etc). Enterprise Connect is different in that when these shares get disconnected, like when you leave your corporate network, Enterprise Connect automatically remounts them when your network comes back online.

I should also add that Enterprise Connect is delivered as part of a Professional Services engagement. The price is $5500 and includes 2 days onsite with one of our engineers. Travel and expenses are included as well. During this engagement, we test Enterprise Connect on your network and make sure it is working properly. Some customers have unusual AD configs, etc that we need to adjust for. We also give you a "deep dive" on the tool itself, help you decide how to deploy it, etc. With any remaining time, we can help you work on any other issues or questions you have about your Mac deployment (as time permits).

CCA Badge CCE Badge CUG Badge Integrator Badge

Posted: 11/6/15 at 2:53 PM by bentoms

@hkabik Thanks! The recent merging was largely the work of Peter Bukowinski & @ftiff has made massive changes to KerbMinder to improve things even further.

Stuff like this, might get re-jigged to be apart of the suite at sometime too...

Well that was one plan.. the other is to get EC into the OS then we can work on $theNextThing

CCA Badge CCE Badge CJA Badge Integrator Badge

Posted: 11/6/15 at 3:03 PM by davidacland

The professional services angle clears it up for me. Perhaps lots of feature requests would get the attention and interest of Apple management.

And just to repeat the link... http://www.apple.com/feedback/macosx.html

Posted: 11/6/15 at 3:07 PM by georgecm12

@rjlemmon Thanks for the look into this product.

It would be nice if the product could be made available "as-is, with no support or guarantee of usability or functionality" for those who want to forge ahead on their own without the professional services engagement. I do get why that might not be likely, though.

Of course, having the software integrated into the OS would work as well. :)

CCT Badge CCA Badge

Posted: 11/6/15 at 3:21 PM by ftiff

Thanks @rjlemmon, it's great to see Apple opening up their communication with its community !

I first heard about Enterprise Connect two weeks ago and almost thought it was a scam :-)

I'd love to see it in action. As I'm in Europe, I extended a bit pmbuko's KerbMinder to make it work without being bound to AD. I hope we will integrate things a bit further and involve the community to make something better, @bentoms has a good idea here.

I cross my finger to have EC released someday either in open source or in the OS.

Posted: 11/6/15 at 5:04 PM by kstrick

HI @rjlemmon , Remember your name from a few years back, at a company where we used some Apple Pro Services---
Nice to see you're still at Apple.

Does free users from needing computer objects being created in AD?

So far, it seems like the solution is best deployed in a DEP environment, but is there something that makes it worth using in an environment where we are used to binding? (I know Apple is pushing DEP big, but not every solution is necessarily benefited by it).

I also echo what others have said about it being open source and/or part of the base OS. I dislike the lack of information about it out there, but appreciate that you are reaching out.

Posted: 11/6/15 at 5:43 PM by rjlemmon

@kstrick - Wow, that was quite awhile ago, good to hear from you!

If you use Enterprise Connect on an unbound system, there is no need to create a computer object in AD. There's also no process you need to go through to bind it to a domain. You just feed it a domain name, AD username and password and you're good to go.

If you use it while bound and logged in with an AD account, it ensures you always have a Kerberos ticket when you're on the corporate network (wi-fi and VPN included), you get notifications when your password is going to expire, you can use Enterprise Connect to change your AD password, and it eases the management of network share points.

CCA Badge

Posted: 11/6/15 at 5:56 PM by mm2270

@rjlemmon Hi. I sat in on a demo of Enterprise Connect about a month back, and one of the things I recall about it seems important to mention on this thread. In relation to what you posted with:

You just feed it a domain name, AD username and password and you're good to go.

If I recall now, most of the same holds true for when using it on an AD bound Mac and logged into a cached AD mobile account, meaning, you still must feed it a username and password to configure the application (or is it only the password now, I can't recall) But essentially, it will not read the AD account's information and automatically just work. The client still must enter their credentials at least once to configure it for use with their account. Correct?

I do seem to remember that it has the ability to accept Configuration Profiles for setting up some of the items though. Maybe that's something you can elaborate on a little when you can, since I'd imagine many folks here would be interested in hearing about the configurability of the application. We're all about automation here after all.

Posted: 11/6/15 at 6:21 PM by ShaunRMiller83

For those who are interested... My Apple Rep mentioned that they are having a call next Friday the 13th to go over Enterprise Connect with a Q/A session at the end.

Posted: 11/6/15 at 6:28 PM by rjlemmon

@mm2270 You're correct on both things. If you're logged into your Mac with an AD mobile account, it'll pick up the username and domain at first launch. The user just needs to enter their password and sign in. They don't need to sign in again unless their password changes or there is some problem with their AD account. For the most part, once its set up, the app runs in the menu bar and does its thing without user intervention. Users will just see the color of the app's icon change. It's yellow when your Mac isn't on the corporate network and green when it is.

And yes, the application can also be configured with a configuration profile. You can configure most settings using the Custom Settings payload of a profile. Casper does a great job of deploying this profile. Yes, EC does the right thing when a setting is configured with a profile - the configured settings get disabled in the UI so the user knows they cannot be changed.

Speaking of automation, Enterprise Connect can also execute a script whenever it goes through its connection process. We intended this to be used to audit a system prior to connecting. Think of something like host checking in a VPN client. For example, you could write a script to check if FileVault is on. If it's not on, and the script has an exit status != 0, Enterprise Connect stops the connection process, tells the user their system isn't compliant and to call the help desk. Really though, you could make the script do whatever you want it to. The only catch is that the script runs as the logged in user, so you can't do anything as root.

Bonus item - the app is also AD site aware. EC chooses a random domain controller when doing a site lookup, but once EC has determined your site, it uses local domain controllers for LDAP queries, Kerberos, etc. Again, your Mac does not need to be domain bound for this to work.

Posted: 11/6/15 at 8:04 PM by jarednichols

@ShaunM9483 Correct, we're running a WebEx on 13 Nov on Enterprise Connect. If anyone would like to learn more and get the information for this session, please email me at "jay" "eff" "enn" (sound those out) @apple.com and I can get you the registration link.

I'm also happy to provide an introduction to your account team of you don't already know them.

CCA Badge CJA Badge CMA Badge

Posted: 11/6/15 at 8:47 PM by marcusransom

@jarednichols @rjlemmon It would be fantastic to see this outside of the US soon. I spoke to our Apple SE here about Enterprise Connect as we currently develop our own tool to perform these functions. If there is anything we can do to help untie it from Professional Services as we do not have this service in Australia please point me in the right direction. I know that many other Universities here would be interested based on the discussions we have had around our in-house tool. Is the WebEx available to people outside the US?

CCT Badge CCA Badge CJA Badge Integrator Badge

Posted: 11/7/15 at 6:46 AM by james_ridsdale

I also share @davidacland and @bentoms views here. This should really be part of the OS especially if new deployment methods are to use DEP (which I prefer!).

Posted: 11/7/15 at 2:30 PM by notverypc

Wow!! This really needs to be included in the OS or at the very least made available outside the US.

CCA Badge CSE Badge

Posted: 11/7/15 at 11:14 PM by cwaldrip

I agree that it'd be nice if it was included in the OS... but there's enough uniqueness in everyone's AD deployments to make that troublesome. I've got my fingers crossed, and I've emailed to get in on the WebEx.

@rjlemmon How quickly will Enterprise Connect expected to get updated after a major OS release? Is the expectation within days or quarters of the release of something like 10.12 for example.

CCT Badge CCA Badge CCE Badge CJA Badge

Posted: 11/8/15 at 4:01 AM by psmac

Does EC do anything for keychain issues for bound systems?

Very happy to hear Apple are developing in this area and would love to see this built in and to be made available "as is" for us all to try it out.

Posted: 11/8/15 at 8:01 PM by rjlemmon

All,

Thanks a lot for the feedback so far.

@cwaldrip We've been staying on top of OS releases. For example, with El Capitan, EC was ready to go well before it shipped. That's our goal going forward.

@psmac It depends. By "keychain issues", I assume you're talking about the Keychain password falling out of sync if a user changes their AD password somewhere other than their Mac. If a user does this, Enterprise Connect won't get the Keychain password back in sync.

However, if your user either uses Enterprise Connect to change their password, or uses a local account + Enterprise Connect, you should be okay. If you use EC to change your password while logged in with an AD account on a bound system, EC will change your AD password, mobile account password, FileVault password and the password for your default keychain (usually login). Using a local account sidesteps the issue entirely.

Posted: 11/9/15 at 7:20 AM by AVmcclint

I think I understand some of what Enterprise Connect is about now after reading this thread and a previous one from back in June. We are required to bind every computer to AD, and we get all our password expirations taken care of with ADPassMon. You say it can be used to mount AD Network home shares. Can it also mount all the network drives (H: M: O: Q: R:...) the users would see if they logged in on a Windows PC without the user having to know the server path? Unless there's some other magic going on behind the curtain, I don't see how paying $5500 for this tool would benefit us.

And why the secrecy? Why is there no public facing webpage to explain this product?

CCA Badge CCE Badge CJA Badge

Posted: 11/9/15 at 11:04 AM by iJake

Does EC still not change the password of a local non-AD account when the AD account password is updated through EC? If not, is this in the roadmap or something that could be added as a one off to the product during an onsite?

CCT Badge

Posted: 11/9/15 at 11:37 AM by Eigger

@rjlemmon Do you offer EC for Education? If not, do you have any plans?

CCA Badge

Posted: 11/9/15 at 11:43 AM by mm2270

Rick will need to respond, but I was not under the impression that by "Enterprise" it meant not for education. I can't see why Apple would exclude education from being able to use it.

Of course, the price tag may make it a little harder to swallow for smaller EDU environments. Maybe not as much for higher ed.

Posted: 11/9/15 at 12:41 PM by rickwhois

@Eigger , @rjlemmon can probably confirm this, but Apple came out to Boston a few weeks ago and did a "what's up and coming" from Apple to Higher Ed. It was all college folks there and we were all introduced to DEP, VPP, & EC and asked to reach out to our reps to get on the list. We haven't gotten pricing on this yet, so it is not clear if edu will get special pricing on it. My guess is everyone will pay the same price via Apple Professional Services.

CCT Badge CCA Badge

Posted: 11/9/15 at 2:35 PM by pwb

@AVmcclint Enterprise Connect can mount a list of shares upon connecting to the corporate network (ethernet, Wi-Fi, VPN). This can list can be entered by the user or pre-configured by IT.

Posted: 11/9/15 at 2:44 PM by AVmcclint

Does it get the list of shares by processing the login script defined by Active Directory? or would we have to manually edit the list for each and every user?

CCT Badge CCA Badge

Posted: 11/9/15 at 3:05 PM by pwb

@AVmcclint Enterprise Connect does not process a Windows login script. You need to write the share paths to a plist - this can be done programmatically. If you already have the logic written in your login script, you just need to convert that to a shell script which writes the share paths to the plist.

Posted: 11/9/15 at 3:22 PM by rickwhois

ideally what we are hoping we can do is enter the smb mount point of our DFS server into EC. Which would be the same for everyone. The actual shares are configured in windows server per user (or AD security group) We've been working towards this (DFS) for a couple years, because to my knowledge Mac & linix have no way of parsing a windows logon script (without the help from $centrify) Unless Enterprise Connect can do this? We are currently a 60% Windows & 40% Mac environment so I'd rather not replicate all of our shares in Casper.

CCA Badge CMA Badge

Posted: 11/9/15 at 7:27 PM by geoffreykobrien

@rickwhois I have a script that looks up the group memberships a user belongs to and performs if then mounts based on said memberships if you're interested.

Posted: 11/10/15 at 9:45 AM by rickwhois

@geoffreykobrien sure, i could always use more scripts! thanks!

Posted: 11/10/15 at 11:07 AM by easyedc

We took delivery of EC last week. As we got towards the end of the year, and had extra budget money left over, it was an easy sell to save me time doing other things. We looked at it not as $5500 for the App, but really as just PS time.

CCA Badge CJA Badge

Posted: 11/20/15 at 9:29 AM by Chris_Hafner

@rjlemmon Hey, I tried talking with my account rep and she has no idea what I'm talking about. Anyone specific I should contact with questions?

CCT Badge CCA Badge

Posted: 11/25/15 at 9:09 AM by Kallendal

very interesting development; Enterprise connect.

For those that are using this technology, it only works with local accounts?

Or integrates into AD/OD centralized management accounts on the Mac systems with regards to kerbinization and password syncing (similar to say ADPassMon/Kerbminder combo that others have mentioned)?

I sent a email to consultingservices@apple.com, haven't heard anything back yet. Our Jamf/CS rep did state it was legitimate, and sounds pretty cool overall.

But as with all things Mac... proof is in the pudding.

Thanks

CCT Badge CCA Badge CCE Badge CJA Badge

Posted: 11/26/15 at 4:31 PM by Simmo

Also posting here to see updates, would be quite interested to see this in countries other than the US and as a stand alone app not needing the Apple pro services visit.

Posted: 11/27/15 at 9:38 PM by itupshot

This is the first time I read of any of this. It sounds interesting. Our Macs are currently bound to AD using the OS's AD plugin. We bind them as part of the Casper Imaging process.

One of my biggest challenges is getting our Mac users to change their AD password before it expires. They don't log out, no matter how hard I try to convince them to. Because of this, they don't see when their password expires, and we get situations when it expires while they're out of the office, and they're stuck for a while.

Secondly, after they change their password, we get those annoying "Local Items" keychain prompts that never go away unless we manually delete that folder from their ~/Library/Keychains folder and restart.

Our passwords expire every 90 days, and people never remember what they need to do to reset them.

Will this tool get rid of those "Local Items" keychain prompts?

Posted: 11/27/15 at 9:56 PM by KDE82

So itupshot:
This might not have all the answers but sure helped me a lot http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/

Posted: 11/27/15 at 9:56 PM by itupshot

@geoffreykobrien I'd be interested in taking a look at your script as well.

I have looked into ADPassMon, but I'm still not sure it'll help us get rid of the "Local Items" keychain issue.

@KDE82 Thanks for the link. That was a great presentation. I'm going to see if the GitHub for it is still online.

CCA Badge CCE Badge CUG Badge Integrator Badge

Posted: 11/28/15 at 2:30 AM by bentoms

@itupshot if a user forgets their old keychain password.

ADPassMon will reset their login.keychain & delete their local items & then restart their Mac.

There is some more work to be done, via adding some features from keychainminder

CCA Badge CCE Badge CMA Badge

Posted: 11/30/15 at 8:03 AM by jaharmi

Is EC available to US customers that have a worldwide presence? Are there any restrictions on its use outside the US?

What about use with multiple AD forests/domains? Is that handled when professional services configures it?

CCA Badge

Posted: 11/30/15 at 9:00 AM by mm2270

Based on the first post on this thread, one of the last sentences:

Enterprise Connect is only available to USA based customers

Emphasis is mine.

I think some of the Apple folks would need to confirm, but I read that as limited to companies that have their main headquarters in the US, not necessarily that it can only be installed in US locations. At least I would hope that's the only limitation, since many companies that could use this would be in the same situation; US based, but have offices in many locales around the world. It probably has to do with the on site professional services visit to get it set up.

Posted: 11/30/15 at 12:20 PM by cdenesha

For a non-bound Mac with a local account, does EC allow a user to print to a Windows print server without authenticating? I'm trying to figure out how to get away from IP based printing.

Also, for those posting to get updates on the thread - you can instead add a bookmark by clicking the plus sign at the top right and you'll get all email updates. :)

chris

CCA Badge CMA Badge

Posted: 12/3/15 at 2:59 PM by analog_kid

I will also be very interested in EC once it's available to higher ed.

Posted: 2/23/16 at 2:46 PM by mlavine

Does anyone have any updates on Enterprise Connect? Has anyone purchased and implemented it? What are your opinions?

CCT Badge CCA Badge

Posted: 2/24/16 at 12:14 AM by ftiff

Hi Matthew,

I purchased it and implemented it.

The “purchase” was more a 2 days contract for Apple Professional Services. The actual setup lasted an hour. APS engineers are very knowledgeable and super nice. Enterprise Connect doesn’t modify your infrastructure.

If you have a 'standard' AD setup, EC should integrate very easily. Otherwise, the 2 days might come in handy :)
If you want to test before, download and install KerbMinder. If it works straight away, chances EC will work too.

To be honest, in my case, EC wasn't better than KerbMinder, and I lost the possibility to tweak it myself. But the EC team is great and you get great Apple support.

Posted: 2/24/16 at 7:41 AM by mlavine

Hi ftiff,

Have you tested how well it works for unbound machines?

How do your users like it?

Are there any features that you know Apple wants to add to the product?

CCT Badge CCA Badge

Posted: 2/24/16 at 7:59 AM by ftiff

Hey @mlavine

Yes, we use it exclusively on unbound machines.
Our users barely notice it. To be honest, they don't care. They have single sign-on, that all they want to know. Yes, I have quite a few features I'd like to add:
- remove the GUI, it's not needed and users don't like to have lots of icons in the menubar. It feels like windows
- push username and realm from a profile
- use AD login and password from the one entered in SetupAssistant. I hope this will come if it ever become native to OS X
- open a per-app VPN to get the kerberos ticket when outside of corporate network

But again, it works great.

Posted: 3/1/16 at 3:42 PM by hunter99

I work in government. Would this work with PIV/CAC enabled accounts? Can this support PIV/CAC logins to network shares, etc. How would that work with remote users? I can use via VPN.

This part is directly at Apple person that posted this. Please bring back PIV/CAC support in the OS natively. When it was dropped Macs in government were not that much. Nowadays, Macs are infiltrating at an exponential rate. Eliminate the 100% need for me to bind the Mac to AD and there will a whole lot more real fast. Yes, I have put feedback in on Apple page. I am just trying to get this heard wherever I can.

Posted: 4/12/16 at 5:58 PM by adisor19

Does this tool work only with AD domains or does it also work with OD ?

Posted: 4/19/16 at 9:54 AM by rkovelman

Why not just use Centrify? We use it as we purchased it prior to Apple releasing this but you can manage it all through GPO's, SSO, etc. Havent looked at pricing between the two but almost everyone from a security perspective knows Centrify.

https://www.centrify.com/

https://www.centrify.com/products/identity-service/mac-management/

CCA Badge CJA Badge

Posted: 4/19/16 at 9:57 AM by Chris_Hafner

So far as I remember there is a significant price difference, but I don't have all those numbers off hand!

CCA Badge CSE Badge

Posted: 4/19/16 at 10:43 AM by cwaldrip

-ignore-

CCT Badge CCA Badge

Posted: 5/12/16 at 3:21 PM by bradtchapman

@rkovelman Centrify is about $90/seat IIRC. How much does the Apple Enterprise Connect cost after the $5K integration? Maybe the cost of EC would make the difference for certain organizations.

Posted: 5/12/16 at 3:23 PM by easyedc

@bradtchapman Enterprise Connect is just the one-time professional services fee to configure it. It's also supported by Apple Care OS Support, so that's a plus too.

Posted: 5/12/16 at 3:24 PM by mlavine

@bradtchapman As far as I know you only pay once for Enterprise Connect and that is the initial $5500.

Posted: 5/12/16 at 3:27 PM by rkovelman

You get what you pay for. I haven't seen it but FWIW people have given it bad reviews online. Still too new and missing too many functions.

Posted: 5/13/16 at 3:10 PM by easyedc

From the standpoint of EC is really 2 days of professional services with Apple and an App that would probably help in your environment, the cost is pretty low, IMHO. What functions are you looking for??

CCA Badge

Posted: 5/13/16 at 3:25 PM by mm2270

@rkovelman bad reviews online? Where exactly are these reviews you're referring to? Given this isn't something sold on the MAS or other public channels, I'd love to see such "reviews". Especially since as you say, you "haven't seen it" Or is this the old "I read it somewhere on the internet so it must be true" meme?

CCA Badge CCE Badge CJA Badge

Posted: 5/13/16 at 3:29 PM by iJake

We have purchased EC and had Apple add the ability to sync the AD password with the local password as this was the real issue keeping us from using the product. We are still in the development phase but we plan to reengineer our whole password policy and account enforcement around this app. It doesn't do everything but it is simple, lightweight, inexpensive, and being actively developed.

Posted: 5/13/16 at 4:12 PM by kstrick

What i'd really like to see a Keychain remediation feature built-in to it, like ADPassmon...

CCA Badge CCE Badge CJA Badge

Posted: 5/13/16 at 4:14 PM by iJake

That would be nice, for sure. Until then it can fire off a script when a password change is made and you could do that now for the keychain items you want. They have an example script posted. We are using that script to post the new creds to our password sync took website.

CCA Badge CCE Badge CJA Badge

Posted: 5/13/16 at 5:31 PM by gachowski

While it would be nice for the Apple Professional Services team to fix the Keychain issues, I don't think it's fair for them to do the job of a different internal Apple team..

Insert rant about how the the keychain issues should have been fixed years ago and that if somebody in Apple could write in "normal" english 3/4 of everyones tickets including Apples would disappear if the pop up sync window just said please enter last password. " Got to love that Apple ease of use"

C

CCA Badge

Posted: 5/13/16 at 6:07 PM by mm2270

I couldn't agree more with @gachowski's comment above. Its utterly astounding that that dialog has not been revamped by now. Its the single most confusing dialog Apple has in their OS and bafflingly continues to have in there. I can only imagine how many complaints Apple has received over the years about this and they've yet to change it.
But, you can bet Apple will have designed some new system font for 10.12, or recreated all the apps icons or something, because, you know, that's actually what's important after all.

Posted: 5/19/16 at 2:28 PM by CorpTech

I just sat through the Web Ex on this and it seems that it can be boiled down to a few things:

  • The cost is really going towards having an engineer onsite for 2 days
  • It helps sync local items (keychain) to what the AD password is
  • Reminds to change AD password without logging out
  • Maps drive
  • Can trigger scripts to run

It doesn't necessarily seem like a game changer or a magic bullet, but a nice little in-between for the computer and the domain controller.

Anyone that has purchased this at their organization verify this? Is there a solid benefit in implementing this?

CCA Badge CCE Badge CJA Badge

Posted: 5/19/16 at 5:45 PM by iJake

@CorpTech EC does not directly sync local items with the AD password. What it can do is run a script after an AD password change. They have an example that prompts the user for access to the EC keychain item thus retrieving the password and from there you can script updates to keychain items and other things. All of the other items are correct.

Posted: 5/20/16 at 8:16 AM by CorpTech

@iJake is that scripting process and creation where having the engineer onsite comes in?

CCA Badge CCE Badge CJA Badge

Posted: 5/20/16 at 8:43 AM by iJake

@CorpTech Yes, they would definitely help craft those with you.

Posted: 5/20/16 at 8:45 AM by rkovelman

@mm2270 Do some googling and you will come across it...If you ever want to find negative reviews on a product the internet is littered with it. Looking for a good one, not so much.

CSE Badge

Posted: 5/20/16 at 2:14 PM by sgoetz

We purchased EC and use it on all of our Domain bound Macs. Our users seem pretty happy with the tool as it syncs the Keychains with the AD password at time of password change with out having to logout and log back in. I also like the fact that if you are not on your corp network it will give you an alert saying to connect to corp network first before trying to change your password. It also mounts the network drives after the login has happen and the user gets control of the screen, so this doesn't tie up or slow down the login process, which I have seen when trying to map drives at login. Furthermore, it gives a nice pop up in the notification center letting users know their password is going to expire.

The only thing that we still have issues with is Macs falling off the domain rendering EC useless. So I wrote a long script that checks if the machine is bound to AD, if the AD keychain is present, and if the machine is actually still in AD. If any of the test fails. It launches my AD binding policy to rebind the machine to the network. I have this script run once a week on all machines.

Hope this helps out!!!

Shawn Goetz

CCA Badge CCE Badge CJA Badge CMA Badge

Posted: 5/20/16 at 5:40 PM by ssrussell

Hey @sgoetz

Not sure if this will help, but you can look into the password interval for dsconfigad. From what I understand by default, unless you change it, the Mac will change its Machine AD Password every 14 days. You can change it to 0 (never changes) or to a longer interval. Something to consider.

dsconfigad -passinterval 0

I'm guessing if the password change fails it becomes unbound.

Posted: 5/24/16 at 6:48 AM by barnesaw

So if I have read through all of these comments correctly, if password changes are done through a service external to the Mac, the Keychain still gets locked and I still have to walk my users through deleting their keychain and restarting to create a new one?

When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

CCA Badge

Posted: 5/24/16 at 7:16 AM by dpertschi

When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

The Keychain concept is a valid (dated) consumer feature developed by a Consumer Electronics company.

As admins for Enterprise users, we will always be circling the consumer features trying to engineer solutions to bend them to fit our needs.

Posted: 5/24/16 at 8:53 AM by rkovelman

It wont be easy to drop Keychain as everything is stored in there, including the Kerberos ticket and password. Keychain I would hope after 15 years or whatever is a hardened app, its just trying to figure out how to "mess" with it to do what you need it to do.

CCA Badge

Posted: 5/24/16 at 12:39 PM by Mhomar

@rjlemmon Can you give me a number to call? I seem to be getting bounced around at Apple inc.

Can anyone?

Posted: 5/24/16 at 12:46 PM by easyedc

@Mhomar Call your Apple sales rep, they should be able to get you squared away.

Posted: 5/24/16 at 1:01 PM by jason.bracy

I've called and emailed as well and have never been able to get anyone at Apple to contact me. Considering that we are a huge enterprise company - and we PAID for a Readiness Review 2 years ago (we received the report, but my requests to schedule the actual presentation were never returned) my management is not very happy with Apple. We keep getting reassigned to different reps and engineers and basically it is a fight just to allow Apple products in the environment. If Apple really wants to start supporting their enterprise customers, then they might want to actually start supporting their enterprise customers.

CCT Badge

Posted: 5/25/16 at 12:53 AM by chrisbju

@pwb is the guy to contact.

CCT Badge CCA Badge

Posted: 5/25/16 at 5:40 AM by pwb

Hey @jason.bracy. Sorry to hear that. Shoot me an email. pwb at apple.

Posted: 5/26/16 at 11:19 AM by jdman

@jason.bracy: I will send you an email directly. Sales team do get moved around as in every organization but the Apple PS team is still here to support you. Larry who performed the Review and Tracy M. are still available anytime you need help. Obviously Peter who responded is also on our team. Thanks. JD Mankovsky - Sr. Manager - APS

Posted: 5/26/16 at 11:22 AM by jason.bracy

Thanks @jdman

CCT Badge CCA Badge CJA Badge

Posted: 5/26/16 at 1:15 PM by chad.fox

@pwb would it be possible to send more information about Enterprise Connect?

I've contacted the Business Team at the local Apple Store and let's say.... they had no idea.

CCT Badge CCA Badge CMA Badge

Posted: 5/26/16 at 1:20 PM by lcutrell

@chad.fox Please send me an email to lrc at apple.com and I will send you over more information.

Thanks
Larry

CCT Badge CCA Badge

Posted: 5/26/16 at 2:47 PM by ericbenfer

An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr

Register
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728

Posted: 5/31/16 at 10:00 AM by Emmert

I don't think I'll be able to watch much of this as it conflicts with another meeting I have scheduled.

It looks like it would be a fantastic solution to add to our environment, except for the price tag that's inexplicably on it.

CCT Badge

Posted: 7/12/16 at 1:04 PM by dstranathan

Apple Enterprise Connect Demo 13
Tuesday, July 19, 2016
12:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr 15 mins

Register

After your request has been approved, you'll receive instructions for joining the meeting.

CCT Badge CCA Badge CSE Badge CUG Badge Integrator Badge

Posted: 7/15/16 at 2:18 PM by andrew.taylor

@lcutrell Please send more info about Enterprise Connect.

CCT Badge CCA Badge

Posted: 7/19/16 at 2:36 PM by bradtchapman

Thank you, @dstranathan for notifying us about the demo today.

CCA Badge CJA Badge

Posted: 7/19/16 at 2:54 PM by Chris_Hafner

Thanks! Any chance for a recording or another webinar? By strange demands on my time children I missed it.

CCA Badge CCE Badge CJA Badge CSE Badge CMA Badge

Posted: 7/19/16 at 2:56 PM by Josh.Smith

@dstranathan I wasn't able to make that demo today, can you share how you learn about such things? I'd like to participate in a future demo. Contact Apple Rep or is there a better way?

CCT Badge

Posted: 7/19/16 at 3:11 PM by dstranathan

I missed it too. Had to put out a couple fires (not involing Pokemon Go, I swear).

Ill ask my Apple rep about the next demo.

CCA Badge CCE Badge CJA Badge

Posted: 7/19/16 at 4:04 PM by gachowski

I think if you signed up for the demo, you should get an invite to the next one... or at least I did : )

C

CCT Badge

Posted: 9/2/16 at 11:17 AM by scottb

Hoping for another demo myself. Placeholder... @rjlemmon Thanks!

Posted: 10/28/16 at 3:31 PM by dave

We purchased EC and have been playing around with the configs a bit, a couple of things we learned.

EC works better when changing AD pw's directly against a dc. We us a web portal for the users to login and initiate a pw change that eventually filters down to AD. We knew going into the purchase we couldn't use EC to change a pw directly, but it does pick up and alert the user when it detects the AD pw is different than the EC pw, and prompts for change.

Because we do not change the pw directly in EC, we miss out on it updating the keychain passwords, and I think even the FV2 pw. We are still trying to see how we can interject a script to run during that prompt for password update, but it as of now it appears the only scrip triggers are at network state change or password change.

Hopefully we'll have more time to finalize this in the next month or two, I'll update the findings as we go along.

@pwb , would it be ok to post/share the Enterprise Connect documentation for people to review?

CCA Badge CCE Badge CJA Badge

Posted: 10/28/16 at 3:41 PM by iJake

@dave I assume that portal exists because there are other directory systems than need passwords changed so the portal acts as the sync tool? We have a similar situation. I wonder, though, if you could do as I have set up that we change the password with EC but then use that trigger to run a script that posts the new password to our portal so we can sync the new AD password to the other systems.

Posted: 10/28/16 at 3:50 PM by dave

@iJake Correct, our peoplesoft/idm environment serves as the master and changes flow down to AD. I'd be interested in more details of how you're doing that for your env. Our portal has 2 factor auth in play, so it might be a whole new level of fun.

Oh, I forgot to mention that EC has us looking at switching from domain account logins to local again, with EC managing the pw sync to the local account. We've lived a nightmare of keychain issues when the AD pw is changed and users can't unlock/sync up their keychain properly. Also with so many wireless users, and our wifi requiring auth, which is not available at lockscreen, they were in a world of hurt if they changed their pw and couldn't wire into the network to login afterwards. Hoping the local account will alleviate some of those pain points.

CCA Badge CCE Badge CJA Badge

Posted: 10/28/16 at 3:57 PM by iJake

@dave Oh lord, two factor would be...fun? Is it just username and then the token for auth and then asks for the new password? Or does it need token, old password and then new password? Theoretically possible to prompt for that first factor and post it for them but not sure how worth it it would be. I would highly recommend using local accounts and having EC take the place of AD with password sync on.

As far as our portal, its just AD auth and once you're able to log in it will then trigger the sync. So, for me its just a simple http post. I have a loop that keeps trying the new AD creds against that form until it gets back a good result. It will bail if it tries too many times, though.

Posted: 11/2/16 at 2:46 PM by Ease

Hello!

The company I work for is looking to deploy EC in the near future to address pw management, kerberos/dfs issues.

We just rolled out Cisco ISE and I wanted to know if anyone could confirm that EC does not conflict/functions w/ Cisco ISE.

Thanks in advance -

CCT Badge

Posted: 2/1/17 at 10:26 AM by bbracey

Hello,

We incorporate EC on all our MACs here. Once a user changes their password, they are prompted for commserve login? The prompt only accepts his old password. Any ideas?

Posted: 2/1/17 at 10:29 AM by easyedc

@bbracey are you using AD accounts? Or are they local accounts?

CCT Badge

Posted: 2/1/17 at 11:03 AM by bbracey

These are AD accounts. The accounts on the Macs are managed and mobile. Is there anyway to confirm EC changes all the necessary keychains?

CCT Badge

Posted: 2/6/17 at 2:45 PM by DA001KL

@Ease Did you find your answer as I am in the same boat

Posted: 2/7/17 at 9:23 AM by jcompton

Lots of questions on keychain cleanup after password change.

EC can is able to run a custom script (of your choosing) after a successful password change. Rick includes some sample code that this really cool guy named Jeff gave him. :)

It may not suit your environment exactly, but it can give you some ideas of what you can do.

EC ROCKS !

Posted: 2/7/17 at 12:51 PM by Ease

@DA001KL I spoke to an Apple engineer:
""Can't see how. It's Mac to AD. ISE either works or doesn't. May need password change script via EC to keep keychain up to day for wifi if using PEAP 802.1X authentication.”

I also spoke with a senior network engineer and since ISE uses certs and draws from AD there should be no issue.

Lastly, EC has already been deployed in enterprise environments that also use Cisco ISE authentication.

CCA Badge CCE Badge CJA Badge

Posted: 2/17/17 at 3:46 PM by jrserapio

Hi @Ease

If you want to take it offline about ISE I can assist ands you questions about ISE integration. Are you doing the integration through the jSS?

Posted: 3/16/17 at 11:58 AM by ice2921

Does anyone know if this works with Azure AD Directory Services? Has anyone implemented this with Azure at all? It seems as though there is very little information on this solution. Thanks

Posted: 4/13/17 at 2:43 PM by wmckin

@ice2921 - Just stumbled upon this, looking for updates to this exact issue. The short of it is no, Enterprise connect doesn't support AzureAD integration; at all. I was hoping to see functionality similar to Windows 10 where I could log in with Azure AD creds on the OS but alas, it's not there. I spoke to both MS and Apple about this and the onus is on Apple to develop the solution. From what I was told from Apple, this isn't even roadmap. To save you some time, I also tried falling back to LDAPS served from AzureAD and enterprise connect wouldn't even leverage that. It's unfortunate but hopefully things change.

CCT Badge

Posted: 4/17/17 at 10:38 AM by lgt28jr

@rjlemmon We purchased Enterprise connect almost a year ago and I am wondering if there are any version updates to the App. The version we have now is 1.6.1 (4)

CCT Badge CCA Badge

Posted: 4/17/17 at 11:14 AM by bradtchapman

@lgt28jr : Your should be reaching out to your Apple business rep for updates. ;-)

The current version is at least 1.6.4.

CCT Badge

Posted: 4/17/17 at 11:24 AM by spalmer

@lgt28jr You should be receiving emails from the Apple Professional Services group when updates are available.

After we went through the required two-day onsite for the purchase we gave them our email addresses (actually a mailing list in case we ever need to change who the contacts are) and we have received emails for every version update since we purchased it, which is about a year ago for us as well.

CCT Badge

Posted: 4/17/17 at 12:42 PM by lgt28jr

Thanks I thought we did the same. About 10 minutes after posting this I received an Email from Apple Professional Services with the latest update. How's that for service wow!!! I also gave them an alias to use so this has been resolved.

CCT Badge CCA Badge CCE Badge CJA Badge Integrator Badge

Posted: 5/1/17 at 9:17 AM by ccarlton

Next EC demo Monday, May 15, 2017:

APS Enterprise Connect Demo 25
Monday, May 15, 2017
10:30 am | Central Daylight Time (Chicago, GMT-05:00) | 1 hr 30 min

http://tinyurl.com/ECDemo25

Posted: 5/2/17 at 6:59 PM by lakingsfn

Hi Everyone!

So I'm working at an enterprise company that deployed EC a few months ago. What we're noticing (especially for remote users) is that if their Mac has fallen off our AD domain, EC will log in but will not allow a domain password change. If we re-bind the Mac to the domain (connected via VPN, of course) EC will allow a domain password change.

Any ideas as to what might be causing this?

Thanks!

CCA Badge CCE Badge CJA Badge Integrator Badge

Posted: 5/2/17 at 7:24 PM by Stephen.Perry

This is the expected behavior of EC. The domain must be accessible to perform a password change.

Posted: 5/3/17 at 3:25 PM by lakingsfn

Right, but from the original poster:

"It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system."

Unless the "local account" is the key, we use AD accounts here.

Thanks!

CCA Badge CCE Badge CJA Badge Integrator Badge

Posted: 5/3/17 at 4:29 PM by Stephen.Perry

Directory "binding" is not required, however, the directory must be accessible and directory authentication available. Two different things here.

Posted: 5/3/17 at 9:55 PM by clarachao

Is there currently any way to hide the Enterprise Connect icon in the menu bar? Even with Bartender (https://www.macbartender.com/) in use, it remains persistent.

Posted: 5/4/17 at 6:45 AM by See&Understand

@rjlemmon - in your initial post, you stated

It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.

But that was a couple of years ago. Is that still the case? Or is the recommendation by Apple, that when using EC, to not have your machines bound to the domain?

CCA Badge CJA Badge CMA Badge

Posted: 5/11/17 at 7:54 PM by cainehorr

We are using Apple Enterprise Connect at my place of employment. Let me just say this... it's a god-send!

It allows me to deploy DEP enabled Macs to my end-user community and still have those same Macs get bound to Active Directory and leverage kerberos authentication as well as password synchronization and password expiration notifications.

Here is my workflow (more or less) for those who are interested in my zero-touch deployment...

  1. Order DEP enabled Mac
  2. Power On
  3. User logs in with AD credentials
  4. JAMF agent gets deployed
  5. System reboots
  6. FileVault encryption is enforced
  7. System reboots
  8. JAMF wraps up deployment (this includes a hostname change to meet NetBIOS 15-character limits, VPN client and Apple Enterprise Connect)
  9. The user connects to VPN
  10. The user clicks a "Bind to AD" script within Self Service
  11. The user logs in with Apple Enterprise Connect

We are still working on automating the last few steps. My proposed automation goes a little something like this...

  1. Order DEP enabled Mac
  2. Power On
  3. User logs in with AD credentials
  4. JAMF agent gets deployed
  5. System reboots
  6. FileVault encryption is enforced
  7. System reboots
  8. JAMF wraps up deployment (this includes a hostname change to meet NetBIOS 15-character limits, VPN client and Apple Enterprise Connect)
  9. The user connects to VPN
  10. JAMF detects a network state change
  11. Some scripts run to test the validity of the connection
  12. AD binding takes place behind the scenes
  13. Apple Enterprise Connect is then presented to the end user for final login

Anyway - Apple Enterprise Connect is awesome. It makes conception a wonder and child birth a pleasure!

CCA Badge

Posted: 5/16/17 at 10:03 AM by jhuls

@cainehorr I'm running on little sleep so bear with me but I'm not clear on how your process works at the beginning. How does the DEP enabled Mac let you log in with AD credentials if the Jamf agent isn't installed yet? At what point does Enterprise Connect get installed? I've never used it so I'm not familiar with the details of it although I caught part of a demo once.

CCA Badge CJA Badge CMA Badge

Posted: 5/16/17 at 1:07 PM by cainehorr

@jhuls

Your primary question: How does the DEP enabled Mac let you log in with AD credentials if the Jamf agent isn't installed yet?

1st - If you have JAMF configured to use DEP, then all your Macs and/or iOS devices will receive the JAMF client as a part of the DEP enrollment process.

2nd - My users DO NOT log into their Macs using Active Directory credentials - they log in with local user accounts.

3rd - Apple Enterprise Connect gets installed as part of the JAMF deployment process.

4th - Users connect to the network either locally or over VPN. Users then log into Apple Enterprise Connect using their Active Directory credentials. This is where the kerberos authentication takes place. Apple Enterprise Connect also synchronizes the user's local user account password with their Active Directory account password. The user's local Mac keychain is updated as a part of this process.

Hope this clarifies. ;-)

CCA Badge

Posted: 5/16/17 at 1:57 PM by jhuls

@cainehorr Thanks but that falls in line with what I already assumed. In reading the workflow you mentioned above I didn't read it the same way though which is why I asked. You mentioned the user logging in with AD credentials before the jamf agent was installed. Did I miss something there?

At any rate there's been some thought put into using it. The biggest issue I've been told that it might not be best for us is that it's not designed to be used with multi-user systems. Most users have their own system but there are a few used by multiple people.

CCA Badge CJA Badge CMA Badge

Posted: 5/16/17 at 2:12 PM by cainehorr

@jhuls

Ah - I see the discrepancy that is tripping you up...

Let me clarify...

When you deploy a DEP enabled device, the user must authenticate before the remainder of the initial Apple setup process will continue. This authentication process takes place either through JAMF's internal user directory or another directory service (such as LDAP); in my case, Active Directory.

DEP then calls home to Apple. Apple recognizes the devices as belonging to your company. Apple also knows what your MDM solution is. Apple calls home to your MDM. MDM confirms the username and password via your directory service. Once authenticated, your MDM tells Apple that all is well with the world. Apple reports back to the DEP enabled Mac and Bob's your uncle. It's essentially a cloud-based version of "Golden Triangle".

Here is where your missing link resides...

Once authenticated, the Apple setup process will continue and the user is prompted to create a local user account on the Mac... The username and password fields are already filled out using the credentials as submitted to DEP, but even though they "look" like your AD/LDAP credentials, they are actually just being applied to a local account.

Take note - the user can still change the local username and password at this point...

Once the user submits this info, the Apple Setup process creates the local account and the desktop rears its head.

Once Apple Enterprise Connect (AEC) is invoked, the user types in their network (LDAP, AD, etc.) username and password. AEC guarantees that the local account (regardless of username format) and the AD/LDAP account passwords are synchronized. And because AEC is now active and logged in on behalf of the network user, your Mac acquires a kerberos ticket granting ticket.

Hope this further clarifies...

So as you see, my workflow is sound... Until now, I hadn't broken down (in detail) the relationship between the Mac, Apple (DEP/APNS), and the MDM.

CCA Badge CJA Badge CMA Badge

Posted: 5/16/17 at 2:16 PM by cainehorr

@jhuls

As for multi-user systems - I can't speak to that as I have not personally had to deal with that in my environment.

That's a great question for @rjlemmon (Rick Lemmon)

CCA Badge

Posted: 5/16/17 at 2:39 PM by jhuls

@cainehorr Ah, ok...that's making more sense now and, again, falls in line with what I know. Your terminology stating they logged in might be more accurate to say authenticates with AD credentials. It also threw me because we don't have authentication enabled for DEP Macs here. I simply forgot about that feature.

Either way all is good...thanks for getting back to me. It would be good to hear from someone on the multiuser aspect. I received that information from an Apple engineer but he wouldn't go into more detail other than to say that EC might not be a good solution for us.