About Enterprise Connect

Hi Rick,

Thanks for offering up the information. As you can imagine, we have customers with AD challenges over here in the UK too so U.S based only isn't all that great.

Hi @rjlemmon,

It seems like Enterprise Connect has a pretty good feature set. Is there any reason that Apple has opted to not include this in the base operating system or even make it available via the Mac App Store?

My biggest question about this product is it's potential usefulness in terms of DEP deployed Macs.

The biggest thing holding us back from a DEP implementation is AD integration. We have many remote users who would be unable to connect to the domain to create mobile accounts. Even for users on our domain the initial account created is still a local account so there would still be some polciy magic involved to switch them over to a bound mobile account.

Would this allow us to deploy using DEP and offer our users all of the benefits of using the AD credentials without actually having to bind to our domain? How exactly does this handle the linking of their local account with their AD account? does it enforce our AD password requirements on the local account as well or would that still have to be managed by profiles?

@bpavlov

The price is over $5K so it's really not suited for the App store.

+1 for @bpavlov's question. As it's purpose is to improve AD integration, I'd be interested to hear the reasons why it's not included in the OS by default.

@bpavlov, @rjlemmon may have a more direct answer for you, but from the presentation I attended on Enterprise Connect, although it wasn't stated explicitly, I got the distinct impression this tool was born out of the need the Apple enterprise support team felt was needed from listening to what was probably years of complaining from customers about how poorly Apple's OS works with AD and other LDAP environments.
All this is to say that it doesn't sound like Apple's upper management is interested in integrating this into the OS at this time, but gave the enterprise support folks the freedom to create, develop and promote this tool to help address this need.
This is all just speculation based on "reading between the lines" if you will. It was what wasn't said on the call that spoke louder than what was mentioned.

@hkabik We are in a similar boat. I don't anticipate ever being able to convince management here to move away from cached AD local accounts for our managed/company owned Macs. DEP makes that very challenging because of how its designed around setting up a local account. DEP is really more about using the OS OOB and getting it enrolled into management, rather than getting them joined to AD or using AD accounts.
While I can see the possibility of it still being done to use AD, boy it would be incredibly tricky. Policy magic indeed!

@bpavlov - Enterprise Connect is a product of Apple Professional Services. Please file a feature request or a bug if you’d like to see it added to the operating system or distributed in the Mac App Store.

@hkabik - In your case, you'd use Enterprise Connect after you've gone through setup via DEP and make a local account. You'd use a profile to manage password policy on this local account. You'd then launch Enterprise Connect and sign in with your AD account. Once you did this, Enterprise Connect would get you a Kerberos TGT, check your AD password, etc. Enterprise Connect does nothing to make your local account a mobile account - it just lets you do some AD type things like Kerberos from a local account.

@hkabik That may be the price, but it doesn't answer why it's not included in the base OS. Obviously Apple has support for other standards widely used in enterprise already built-in to OS X so why not include this in the OS? From Microsoft, I expect them to break out feature sets by having different versions of Windows. But I don't expect that from Apple. I'm sure there's a good reason though.

I'm responding so I can be updated on the thread as more info comes in.

@rjlemmon Can I just say it's awesome to have Apple reaching out some more about this.

Peter Beninate also opened an #enterprise-connect channel on the macadmins.org Slack.

But I'm sad at only US & echo @bpavlov's comments that this should be in the OS.

I'm one of the maintainers of ADPassMon, which was written to overcome some issues that EC would address.

"Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount."

I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login. Mapping drives automatically is pretty simple.

Unless it allowed for me to manage specific variables on the mac (group policy style), I don't see the value. 5k for this? Sounds like a money grab to me. This kind of stuff should be included in the base OS.

I supplied feedback at http://www.apple.com/feedback/macosx.html to have this included in the OS. If I should be supplying the feedback somewhere else, please let me know. Thanks @rjlemmon for reaching out to the community like this.

@tnielsen

I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login.

Yes, because Mac users log out and log in all the time, don't they.
Sorry, but while I agree maybe this shouldn't cost $5k, being able to be notified of pending password expiration while logged in is not exactly useless, so I can't really agree with you there. Also, it shows you your account information within a menu item, so its pretty handy for users to be able to access this.
Lastly, I got the impression professional services is open to adding new features to the product as they go. Its kind of new.

Yeah, I'm really going to have to see this thing to get my head around what the $5K value is. I'm not seeing anything I don't already get from ADpassmon, Kerbminder and some very simple scripting.

I'm not writing it off at all, I'm just not quite getting it yet.

One way or the other I think it's great that Apple is actively communicating with us on something that has been a bit of a mystery to a lot of us. Thanks! Can't wait to hear more about it.

@hkabik Those of us whom write those tools you mentioned (& glad you use them :) ) would be happy to see this as an OS feature... we'd probably still tinker.. but the need would be lessened.

@bentoms

We'd hate for you to get bored. ;)

Plus I like your price tag better than their's so far. :P

In all seriousness your fork of Adpassmon was world changing for password management here... so while I'm all gung ho for an Apple product to retire the need for your extra curricular work, WOW am I appreciative for the work you've done.

All, thanks for all of the questions and feedback. I'm responding as quickly as I can, so please be patient :)

@tnielsen - It is true that current AD integration allows you to change your password at login. However, this depends on two things. First, your user must actually log out and log in to be prompted. Many users don't do this on a regular basis. Logouts consist of closing the lid and logins consist of entering a screensaver password. Also, the user must have a network connection at the login window for this to work. Unless you are using Ethernet or system level wi-fi authentication, many users won't have this in place.

Regarding network shares, there's a variety of ways you can mount network shares (login items, scripts, etc). Enterprise Connect is different in that when these shares get disconnected, like when you leave your corporate network, Enterprise Connect automatically remounts them when your network comes back online.

I should also add that Enterprise Connect is delivered as part of a Professional Services engagement. The price is $5500 and includes 2 days onsite with one of our engineers. Travel and expenses are included as well. During this engagement, we test Enterprise Connect on your network and make sure it is working properly. Some customers have unusual AD configs, etc that we need to adjust for. We also give you a "deep dive" on the tool itself, help you decide how to deploy it, etc. With any remaining time, we can help you work on any other issues or questions you have about your Mac deployment (as time permits).

@hkabik Thanks! The recent merging was largely the work of Peter Bukowinski & @ftiff has made massive changes to KerbMinder to improve things even further.

Stuff like this, might get re-jigged to be apart of the suite at sometime too...

Well that was one plan.. the other is to get EC into the OS then we can work on $theNextThing

The professional services angle clears it up for me. Perhaps lots of feature requests would get the attention and interest of Apple management.

And just to repeat the link... http://www.apple.com/feedback/macosx.html

@rjlemmon Thanks for the look into this product.

It would be nice if the product could be made available "as-is, with no support or guarantee of usability or functionality" for those who want to forge ahead on their own without the professional services engagement. I do get why that might not be likely, though.

Of course, having the software integrated into the OS would work as well. :)

Thanks @rjlemmon, it's great to see Apple opening up their communication with its community !

I first heard about Enterprise Connect two weeks ago and almost thought it was a scam :-)

I'd love to see it in action. As I'm in Europe, I extended a bit pmbuko's KerbMinder to make it work without being bound to AD. I hope we will integrate things a bit further and involve the community to make something better, @bentoms has a good idea here.

I cross my finger to have EC released someday either in open source or in the OS.

HI @rjlemmon , Remember your name from a few years back, at a company where we used some Apple Pro Services---
Nice to see you're still at Apple.

Does free users from needing computer objects being created in AD?

So far, it seems like the solution is best deployed in a DEP environment, but is there something that makes it worth using in an environment where we are used to binding? (I know Apple is pushing DEP big, but not every solution is necessarily benefited by it).

I also echo what others have said about it being open source and/or part of the base OS. I dislike the lack of information about it out there, but appreciate that you are reaching out.

@kstrick - Wow, that was quite awhile ago, good to hear from you!

If you use Enterprise Connect on an unbound system, there is no need to create a computer object in AD. There's also no process you need to go through to bind it to a domain. You just feed it a domain name, AD username and password and you're good to go.

If you use it while bound and logged in with an AD account, it ensures you always have a Kerberos ticket when you're on the corporate network (wi-fi and VPN included), you get notifications when your password is going to expire, you can use Enterprise Connect to change your AD password, and it eases the management of network share points.

@rjlemmon Hi. I sat in on a demo of Enterprise Connect about a month back, and one of the things I recall about it seems important to mention on this thread. In relation to what you posted with:

You just feed it a domain name, AD username and password and you're good to go.

If I recall now, most of the same holds true for when using it on an AD bound Mac and logged into a cached AD mobile account, meaning, you still must feed it a username and password to configure the application (or is it only the password now, I can't recall) But essentially, it will not read the AD account's information and automatically just work. The client still must enter their credentials at least once to configure it for use with their account. Correct?

I do seem to remember that it has the ability to accept Configuration Profiles for setting up some of the items though. Maybe that's something you can elaborate on a little when you can, since I'd imagine many folks here would be interested in hearing about the configurability of the application. We're all about automation here after all.

For those who are interested... My Apple Rep mentioned that they are having a call next Friday the 13th to go over Enterprise Connect with a Q/A session at the end.

@mm2270 You're correct on both things. If you're logged into your Mac with an AD mobile account, it'll pick up the username and domain at first launch. The user just needs to enter their password and sign in. They don't need to sign in again unless their password changes or there is some problem with their AD account. For the most part, once its set up, the app runs in the menu bar and does its thing without user intervention. Users will just see the color of the app's icon change. It's yellow when your Mac isn't on the corporate network and green when it is.

And yes, the application can also be configured with a configuration profile. You can configure most settings using the Custom Settings payload of a profile. Casper does a great job of deploying this profile. Yes, EC does the right thing when a setting is configured with a profile - the configured settings get disabled in the UI so the user knows they cannot be changed.

Speaking of automation, Enterprise Connect can also execute a script whenever it goes through its connection process. We intended this to be used to audit a system prior to connecting. Think of something like host checking in a VPN client. For example, you could write a script to check if FileVault is on. If it's not on, and the script has an exit status != 0, Enterprise Connect stops the connection process, tells the user their system isn't compliant and to call the help desk. Really though, you could make the script do whatever you want it to. The only catch is that the script runs as the logged in user, so you can't do anything as root.

Bonus item - the app is also AD site aware. EC chooses a random domain controller when doing a site lookup, but once EC has determined your site, it uses local domain controllers for LDAP queries, Kerberos, etc. Again, your Mac does not need to be domain bound for this to work.

@ShaunM9483 Correct, we're running a WebEx on 13 Nov on Enterprise Connect. If anyone would like to learn more and get the information for this session, please email me at "jay" "eff" "enn" (sound those out) @apple.com and I can get you the registration link.

I'm also happy to provide an introduction to your account team of you don't already know them.

@jarednichols @rjlemmon It would be fantastic to see this outside of the US soon. I spoke to our Apple SE here about Enterprise Connect as we currently develop our own tool to perform these functions. If there is anything we can do to help untie it from Professional Services as we do not have this service in Australia please point me in the right direction. I know that many other Universities here would be interested based on the discussions we have had around our in-house tool. Is the WebEx available to people outside the US?

I also share @davidacland and @bentoms views here. This should really be part of the OS especially if new deployment methods are to use DEP (which I prefer!).

Wow!! This really needs to be included in the OS or at the very least made available outside the US.

I agree that it'd be nice if it was included in the OS... but there's enough uniqueness in everyone's AD deployments to make that troublesome. I've got my fingers crossed, and I've emailed to get in on the WebEx.

@rjlemmon How quickly will Enterprise Connect expected to get updated after a major OS release? Is the expectation within days or quarters of the release of something like 10.12 for example.

Does EC do anything for keychain issues for bound systems?

Very happy to hear Apple are developing in this area and would love to see this built in and to be made available "as is" for us all to try it out.

All,

Thanks a lot for the feedback so far.

@cwaldrip We've been staying on top of OS releases. For example, with El Capitan, EC was ready to go well before it shipped. That's our goal going forward.

@psmac It depends. By "keychain issues", I assume you're talking about the Keychain password falling out of sync if a user changes their AD password somewhere other than their Mac. If a user does this, Enterprise Connect won't get the Keychain password back in sync.

However, if your user either uses Enterprise Connect to change their password, or uses a local account + Enterprise Connect, you should be okay. If you use EC to change your password while logged in with an AD account on a bound system, EC will change your AD password, mobile account password, FileVault password and the password for your default keychain (usually login). Using a local account sidesteps the issue entirely.

I think I understand some of what Enterprise Connect is about now after reading this thread and a previous one from back in June. We are required to bind every computer to AD, and we get all our password expirations taken care of with ADPassMon. You say it can be used to mount AD Network home shares. Can it also mount all the network drives (H: M: O: Q: R:...) the users would see if they logged in on a Windows PC without the user having to know the server path? Unless there's some other magic going on behind the curtain, I don't see how paying $5500 for this tool would benefit us.

And why the secrecy? Why is there no public facing webpage to explain this product?

Does EC still not change the password of a local non-AD account when the AD account password is updated through EC? If not, is this in the roadmap or something that could be added as a one off to the product during an onsite?

@rjlemmon Do you offer EC for Education? If not, do you have any plans?

Rick will need to respond, but I was not under the impression that by "Enterprise" it meant not for education. I can't see why Apple would exclude education from being able to use it.

Of course, the price tag may make it a little harder to swallow for smaller EDU environments. Maybe not as much for higher ed.

@Eigger , @rjlemmon can probably confirm this, but Apple came out to Boston a few weeks ago and did a "what's up and coming" from Apple to Higher Ed. It was all college folks there and we were all introduced to DEP, VPP, & EC and asked to reach out to our reps to get on the list. We haven't gotten pricing on this yet, so it is not clear if edu will get special pricing on it. My guess is everyone will pay the same price via Apple Professional Services.

@AVmcclint Enterprise Connect can mount a list of shares upon connecting to the corporate network (ethernet, Wi-Fi, VPN). This can list can be entered by the user or pre-configured by IT.

Does it get the list of shares by processing the login script defined by Active Directory? or would we have to manually edit the list for each and every user?

@AVmcclint Enterprise Connect does not process a Windows login script. You need to write the share paths to a plist - this can be done programmatically. If you already have the logic written in your login script, you just need to convert that to a shell script which writes the share paths to the plist.

ideally what we are hoping we can do is enter the smb mount point of our DFS server into EC. Which would be the same for everyone. The actual shares are configured in windows server per user (or AD security group) We've been working towards this (DFS) for a couple years, because to my knowledge Mac & linix have no way of parsing a windows logon script (without the help from $centrify) Unless Enterprise Connect can do this? We are currently a 60% Windows & 40% Mac environment so I'd rather not replicate all of our shares in Casper.

@rickwhois I have a script that looks up the group memberships a user belongs to and performs if then mounts based on said memberships if you're interested.

@geoffreykobrien sure, i could always use more scripts! thanks!

We took delivery of EC last week. As we got towards the end of the year, and had extra budget money left over, it was an easy sell to save me time doing other things. We looked at it not as $5500 for the App, but really as just PS time.

@rjlemmon Hey, I tried talking with my account rep and she has no idea what I'm talking about. Anyone specific I should contact with questions?

very interesting development; Enterprise connect.

For those that are using this technology, it only works with local accounts?

Or integrates into AD/OD centralized management accounts on the Mac systems with regards to kerbinization and password syncing (similar to say ADPassMon/Kerbminder combo that others have mentioned)?

I sent a email to consultingservices@apple.com, haven't heard anything back yet. Our Jamf/CS rep did state it was legitimate, and sounds pretty cool overall.

But as with all things Mac... proof is in the pudding.

Thanks

Also posting here to see updates, would be quite interested to see this in countries other than the US and as a stand alone app not needing the Apple pro services visit.

This is the first time I read of any of this. It sounds interesting. Our Macs are currently bound to AD using the OS's AD plugin. We bind them as part of the Casper Imaging process.

One of my biggest challenges is getting our Mac users to change their AD password before it expires. They don't log out, no matter how hard I try to convince them to. Because of this, they don't see when their password expires, and we get situations when it expires while they're out of the office, and they're stuck for a while.

Secondly, after they change their password, we get those annoying "Local Items" keychain prompts that never go away unless we manually delete that folder from their ~/Library/Keychains folder and restart.

Our passwords expire every 90 days, and people never remember what they need to do to reset them.

Will this tool get rid of those "Local Items" keychain prompts?

So itupshot:
This might not have all the answers but sure helped me a lot http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/

@geoffreykobrien I'd be interested in taking a look at your script as well.

I have looked into ADPassMon, but I'm still not sure it'll help us get rid of the "Local Items" keychain issue.

@KDE82 Thanks for the link. That was a great presentation. I'm going to see if the GitHub for it is still online.

@itupshot if a user forgets their old keychain password.

ADPassMon will reset their login.keychain & delete their local items & then restart their Mac.

There is some more work to be done, via adding some features from keychainminder

Is EC available to US customers that have a worldwide presence? Are there any restrictions on its use outside the US?

What about use with multiple AD forests/domains? Is that handled when professional services configures it?

Based on the first post on this thread, one of the last sentences:

Enterprise Connect is only available to USA based customers

Emphasis is mine.

I think some of the Apple folks would need to confirm, but I read that as limited to companies that have their main headquarters in the US, not necessarily that it can only be installed in US locations. At least I would hope that's the only limitation, since many companies that could use this would be in the same situation; US based, but have offices in many locales around the world. It probably has to do with the on site professional services visit to get it set up.

For a non-bound Mac with a local account, does EC allow a user to print to a Windows print server without authenticating? I'm trying to figure out how to get away from IP based printing.

Also, for those posting to get updates on the thread - you can instead add a bookmark by clicking the plus sign at the top right and you'll get all email updates. :)

chris

I will also be very interested in EC once it's available to higher ed.

Does anyone have any updates on Enterprise Connect? Has anyone purchased and implemented it? What are your opinions?

Hi Matthew,

I purchased it and implemented it.

The “purchase” was more a 2 days contract for Apple Professional Services. The actual setup lasted an hour. APS engineers are very knowledgeable and super nice. Enterprise Connect doesn’t modify your infrastructure.

If you have a 'standard' AD setup, EC should integrate very easily. Otherwise, the 2 days might come in handy :)
If you want to test before, download and install KerbMinder. If it works straight away, chances EC will work too.

To be honest, in my case, EC wasn't better than KerbMinder, and I lost the possibility to tweak it myself. But the EC team is great and you get great Apple support.

Hi ftiff,

Have you tested how well it works for unbound machines?

How do your users like it?

Are there any features that you know Apple wants to add to the product?

Hey @mlavine

Yes, we use it exclusively on unbound machines.
Our users barely notice it. To be honest, they don't care. They have single sign-on, that all they want to know. Yes, I have quite a few features I'd like to add:
- remove the GUI, it's not needed and users don't like to have lots of icons in the menubar. It feels like windows
- push username and realm from a profile
- use AD login and password from the one entered in SetupAssistant. I hope this will come if it ever become native to OS X
- open a per-app VPN to get the kerberos ticket when outside of corporate network

But again, it works great.

I work in government. Would this work with PIV/CAC enabled accounts? Can this support PIV/CAC logins to network shares, etc. How would that work with remote users? I can use via VPN.

This part is directly at Apple person that posted this. Please bring back PIV/CAC support in the OS natively. When it was dropped Macs in government were not that much. Nowadays, Macs are infiltrating at an exponential rate. Eliminate the 100% need for me to bind the Mac to AD and there will a whole lot more real fast. Yes, I have put feedback in on Apple page. I am just trying to get this heard wherever I can.

Does this tool work only with AD domains or does it also work with OD ?

Why not just use Centrify? We use it as we purchased it prior to Apple releasing this but you can manage it all through GPO's, SSO, etc. Havent looked at pricing between the two but almost everyone from a security perspective knows Centrify.

https://www.centrify.com/

https://www.centrify.com/products/identity-service/mac-management/

So far as I remember there is a significant price difference, but I don't have all those numbers off hand!

-ignore-

@rkovelman Centrify is about $90/seat IIRC. How much does the Apple Enterprise Connect cost after the $5K integration? Maybe the cost of EC would make the difference for certain organizations.

@bradtchapman Enterprise Connect is just the one-time professional services fee to configure it. It's also supported by Apple Care OS Support, so that's a plus too.

@bradtchapman As far as I know you only pay once for Enterprise Connect and that is the initial $5500.

You get what you pay for. I haven't seen it but FWIW people have given it bad reviews online. Still too new and missing too many functions.

From the standpoint of EC is really 2 days of professional services with Apple and an App that would probably help in your environment, the cost is pretty low, IMHO. What functions are you looking for??

@rkovelman bad reviews online? Where exactly are these reviews you're referring to? Given this isn't something sold on the MAS or other public channels, I'd love to see such "reviews". Especially since as you say, you "haven't seen it" Or is this the old "I read it somewhere on the internet so it must be true" meme?

We have purchased EC and had Apple add the ability to sync the AD password with the local password as this was the real issue keeping us from using the product. We are still in the development phase but we plan to reengineer our whole password policy and account enforcement around this app. It doesn't do everything but it is simple, lightweight, inexpensive, and being actively developed.

What i'd really like to see a Keychain remediation feature built-in to it, like ADPassmon...

That would be nice, for sure. Until then it can fire off a script when a password change is made and you could do that now for the keychain items you want. They have an example script posted. We are using that script to post the new creds to our password sync took website.

While it would be nice for the Apple Professional Services team to fix the Keychain issues, I don't think it's fair for them to do the job of a different internal Apple team..

Insert rant about how the the keychain issues should have been fixed years ago and that if somebody in Apple could write in "normal" english 3/4 of everyones tickets including Apples would disappear if the pop up sync window just said please enter last password. " Got to love that Apple ease of use"

C

I couldn't agree more with @gachowski's comment above. Its utterly astounding that that dialog has not been revamped by now. Its the single most confusing dialog Apple has in their OS and bafflingly continues to have in there. I can only imagine how many complaints Apple has received over the years about this and they've yet to change it.
But, you can bet Apple will have designed some new system font for 10.12, or recreated all the apps icons or something, because, you know, that's actually what's important after all.

I just sat through the Web Ex on this and it seems that it can be boiled down to a few things:

• The cost is really going towards having an engineer onsite for 2 days
• It helps sync local items (keychain) to what the AD password is
• Reminds to change AD password without logging out
• Maps drive
• Can trigger scripts to run

It doesn't necessarily seem like a game changer or a magic bullet, but a nice little in-between for the computer and the domain controller.

Anyone that has purchased this at their organization verify this? Is there a solid benefit in implementing this?

@CorpTech EC does not directly sync local items with the AD password. What it can do is run a script after an AD password change. They have an example that prompts the user for access to the EC keychain item thus retrieving the password and from there you can script updates to keychain items and other things. All of the other items are correct.

@iJake is that scripting process and creation where having the engineer onsite comes in?

@CorpTech Yes, they would definitely help craft those with you.

@mm2270 Do some googling and you will come across it...If you ever want to find negative reviews on a product the internet is littered with it. Looking for a good one, not so much.

We purchased EC and use it on all of our Domain bound Macs. Our users seem pretty happy with the tool as it syncs the Keychains with the AD password at time of password change with out having to logout and log back in. I also like the fact that if you are not on your corp network it will give you an alert saying to connect to corp network first before trying to change your password. It also mounts the network drives after the login has happen and the user gets control of the screen, so this doesn't tie up or slow down the login process, which I have seen when trying to map drives at login. Furthermore, it gives a nice pop up in the notification center letting users know their password is going to expire.

The only thing that we still have issues with is Macs falling off the domain rendering EC useless. So I wrote a long script that checks if the machine is bound to AD, if the AD keychain is present, and if the machine is actually still in AD. If any of the test fails. It launches my AD binding policy to rebind the machine to the network. I have this script run once a week on all machines.

Hope this helps out!!!

Shawn Goetz

Hey @sgoetz

Not sure if this will help, but you can look into the password interval for dsconfigad. From what I understand by default, unless you change it, the Mac will change its Machine AD Password every 14 days. You can change it to 0 (never changes) or to a longer interval. Something to consider.

dsconfigad -passinterval 0

I'm guessing if the password change fails it becomes unbound.

So if I have read through all of these comments correctly, if password changes are done through a service external to the Mac, the Keychain still gets locked and I still have to walk my users through deleting their keychain and restarting to create a new one?

When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

The Keychain concept is a valid (dated) consumer feature developed by a Consumer Electronics company.

As admins for Enterprise users, we will always be circling the consumer features trying to engineer solutions to bend them to fit our needs.

It wont be easy to drop Keychain as everything is stored in there, including the Kerberos ticket and password. Keychain I would hope after 15 years or whatever is a hardened app, its just trying to figure out how to "mess" with it to do what you need it to do.

@rjlemmon Can you give me a number to call? I seem to be getting bounced around at Apple inc.

Can anyone?

@Mhomar Call your Apple sales rep, they should be able to get you squared away.

I've called and emailed as well and have never been able to get anyone at Apple to contact me. Considering that we are a huge enterprise company - and we PAID for a Readiness Review 2 years ago (we received the report, but my requests to schedule the actual presentation were never returned) my management is not very happy with Apple. We keep getting reassigned to different reps and engineers and basically it is a fight just to allow Apple products in the environment. If Apple really wants to start supporting their enterprise customers, then they might want to actually start supporting their enterprise customers.

@pwb is the guy to contact.

Hey @jason.bracy. Sorry to hear that. Shoot me an email. pwb at apple.

@jason.bracy: I will send you an email directly. Sales team do get moved around as in every organization but the Apple PS team is still here to support you. Larry who performed the Review and Tracy M. are still available anytime you need help. Obviously Peter who responded is also on our team. Thanks. JD Mankovsky - Sr. Manager - APS

Thanks @jdman

@pwb would it be possible to send more information about Enterprise Connect?

I've contacted the Business Team at the local Apple Store and let's say.... they had no idea.

@chad.fox Please send me an email to lrc at apple.com and I will send you over more information.

Thanks
Larry

An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr

Register
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728

I don't think I'll be able to watch much of this as it conflicts with another meeting I have scheduled.

It looks like it would be a fantastic solution to add to our environment, except for the price tag that's inexplicably on it.

Apple Enterprise Connect Demo 13
Tuesday, July 19, 2016
12:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr 15 mins

Register

After your request has been approved, you'll receive instructions for joining the meeting.

@lcutrell Please send more info about Enterprise Connect.

Thank you, @dstranathan for notifying us about the demo today.

Thanks! Any chance for a recording or another webinar? By strange demands on my time children I missed it.

@dstranathan I wasn't able to make that demo today, can you share how you learn about such things? I'd like to participate in a future demo. Contact Apple Rep or is there a better way?

I missed it too. Had to put out a couple fires (not involing Pokemon Go, I swear).

Ill ask my Apple rep about the next demo.

I think if you signed up for the demo, you should get an invite to the next one... or at least I did : )

C

Hoping for another demo myself. Placeholder... @rjlemmon Thanks!

We purchased EC and have been playing around with the configs a bit, a couple of things we learned.

EC works better when changing AD pw's directly against a dc. We us a web portal for the users to login and initiate a pw change that eventually filters down to AD. We knew going into the purchase we couldn't use EC to change a pw directly, but it does pick up and alert the user when it detects the AD pw is different than the EC pw, and prompts for change.

Because we do not change the pw directly in EC, we miss out on it updating the keychain passwords, and I think even the FV2 pw. We are still trying to see how we can interject a script to run during that prompt for password update, but it as of now it appears the only scrip triggers are at network state change or password change.

Hopefully we'll have more time to finalize this in the next month or two, I'll update the findings as we go along.

@pwb , would it be ok to post/share the Enterprise Connect documentation for people to review?

@dave I assume that portal exists because there are other directory systems than need passwords changed so the portal acts as the sync tool? We have a similar situation. I wonder, though, if you could do as I have set up that we change the password with EC but then use that trigger to run a script that posts the new password to our portal so we can sync the new AD password to the other systems.

@iJake Correct, our peoplesoft/idm environment serves as the master and changes flow down to AD. I'd be interested in more details of how you're doing that for your env. Our portal has 2 factor auth in play, so it might be a whole new level of fun.

Oh, I forgot to mention that EC has us looking at switching from domain account logins to local again, with EC managing the pw sync to the local account. We've lived a nightmare of keychain issues when the AD pw is changed and users can't unlock/sync up their keychain properly. Also with so many wireless users, and our wifi requiring auth, which is not available at lockscreen, they were in a world of hurt if they changed their pw and couldn't wire into the network to login afterwards. Hoping the local account will alleviate some of those pain points.

@dave Oh lord, two factor would be...fun? Is it just username and then the token for auth and then asks for the new password? Or does it need token, old password and then new password? Theoretically possible to prompt for that first factor and post it for them but not sure how worth it it would be. I would highly recommend using local accounts and having EC take the place of AD with password sync on.

As far as our portal, its just AD auth and once you're able to log in it will then trigger the sync. So, for me its just a simple http post. I have a loop that keeps trying the new AD creds against that form until it gets back a good result. It will bail if it tries too many times, though.

Hello!

The company I work for is looking to deploy EC in the near future to address pw management, kerberos/dfs issues.

We just rolled out Cisco ISE and I wanted to know if anyone could confirm that EC does not conflict/functions w/ Cisco ISE.

Thanks in advance -

Hello,

We incorporate EC on all our MACs here. Once a user changes their password, they are prompted for commserve login? The prompt only accepts his old password. Any ideas?

@bbracey are you using AD accounts? Or are they local accounts?

These are AD accounts. The accounts on the Macs are managed and mobile. Is there anyway to confirm EC changes all the necessary keychains?

@Ease Did you find your answer as I am in the same boat

Lots of questions on keychain cleanup after password change.

EC can is able to run a custom script (of your choosing) after a successful password change. Rick includes some sample code that this really cool guy named Jeff gave him. :)

It may not suit your environment exactly, but it can give you some ideas of what you can do.

EC ROCKS !

@DA001KL I spoke to an Apple engineer:
""Can't see how. It's Mac to AD. ISE either works or doesn't. May need password change script via EC to keep keychain up to day for wifi if using PEAP 802.1X authentication.”

I also spoke with a senior network engineer and since ISE uses certs and draws from AD there should be no issue.

Lastly, EC has already been deployed in enterprise environments that also use Cisco ISE authentication.

Hi @Ease

If you want to take it offline about ISE I can assist ands you questions about ISE integration. Are you doing the integration through the jSS?

Does anyone know if this works with Azure AD Directory Services? Has anyone implemented this with Azure at all? It seems as though there is very little information on this solution. Thanks

@ice2921 - Just stumbled upon this, looking for updates to this exact issue. The short of it is no, Enterprise connect doesn't support AzureAD integration; at all. I was hoping to see functionality similar to Windows 10 where I could log in with Azure AD creds on the OS but alas, it's not there. I spoke to both MS and Apple about this and the onus is on Apple to develop the solution. From what I was told from Apple, this isn't even roadmap. To save you some time, I also tried falling back to LDAPS served from AzureAD and enterprise connect wouldn't even leverage that. It's unfortunate but hopefully things change.

@rjlemmon We purchased Enterprise connect almost a year ago and I am wondering if there are any version updates to the App. The version we have now is 1.6.1 (4)

@lgt28jr : Your should be reaching out to your Apple business rep for updates. ;-)

The current version is at least 1.6.4.

@lgt28jr You should be receiving emails from the Apple Professional Services group when updates are available.

After we went through the required two-day onsite for the purchase we gave them our email addresses (actually a mailing list in case we ever need to change who the contacts are) and we have received emails for every version update since we purchased it, which is about a year ago for us as well.

Thanks I thought we did the same. About 10 minutes after posting this I received an Email from Apple Professional Services with the latest update. How's that for service wow!!! I also gave them an alias to use so this has been resolved.

Next EC demo Monday, May 15, 2017:

APS Enterprise Connect Demo 25
Monday, May 15, 2017
10:30 am | Central Daylight Time (Chicago, GMT-05:00) | 1 hr 30 min

http://tinyurl.com/ECDemo25

Hi Everyone!

So I'm working at an enterprise company that deployed EC a few months ago. What we're noticing (especially for remote users) is that if their Mac has fallen off our AD domain, EC will log in but will not allow a domain password change. If we re-bind the Mac to the domain (connected via VPN, of course) EC will allow a domain password change.

Any ideas as to what might be causing this?

Thanks!

This is the expected behavior of EC. The domain must be accessible to perform a password change.

Right, but from the original poster:

"It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system."

Unless the "local account" is the key, we use AD accounts here.

Thanks!

Directory "binding" is not required, however, the directory must be accessible and directory authentication available. Two different things here.

Is there currently any way to hide the Enterprise Connect icon in the menu bar? Even with Bartender (https://www.macbartender.com/) in use, it remains persistent.

@rjlemmon - in your initial post, you stated

It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.

But that was a couple of years ago. Is that still the case? Or is the recommendation by Apple, that when using EC, to not have your machines bound to the domain?

We are using Apple Enterprise Connect at my place of employment. Let me just say this... it's a god-send!

It allows me to deploy DEP enabled Macs to my end-user community and still have those same Macs get bound to Active Directory and leverage kerberos authentication as well as password synchronization and password expiration notifications.

Here is my workflow (more or less) for those who are interested in my zero-touch deployment...

1. Order DEP enabled Mac
2. Power On
3. User logs in with AD credentials
4. JAMF agent gets deployed
5. System reboots
6. FileVault encryption is enforced
7. System reboots
8. JAMF wraps up deployment (this includes a hostname change to meet NetBIOS 15-character limits, VPN client and Apple Enterprise Connect)
9. The user connects to VPN
10. The user clicks a "Bind to AD" script within Self Service
11. The user logs in with Apple Enterprise Connect

We are still working on automating the last few steps. My proposed automation goes a little something like this...

1. Order DEP enabled Mac
2. Power On
3. User logs in with AD credentials
4. JAMF agent gets deployed
5. System reboots
6. FileVault encryption is enforced
7. System reboots
8. JAMF wraps up deployment (this includes a hostname change to meet NetBIOS 15-character limits, VPN client and Apple Enterprise Connect)
9. The user connects to VPN
10. JAMF detects a network state change
11. Some scripts run to test the validity of the connection
12. AD binding takes place behind the scenes
13. Apple Enterprise Connect is then presented to the end user for final login

Anyway - Apple Enterprise Connect is awesome. It makes conception a wonder and child birth a pleasure!

@cainehorr I'm running on little sleep so bear with me but I'm not clear on how your process works at the beginning. How does the DEP enabled Mac let you log in with AD credentials if the Jamf agent isn't installed yet? At what point does Enterprise Connect get installed? I've never used it so I'm not familiar with the details of it although I caught part of a demo once.

@jhuls

Your primary question: How does the DEP enabled Mac let you log in with AD credentials if the Jamf agent isn't installed yet?

1st - If you have JAMF configured to use DEP, then all your Macs and/or iOS devices will receive the JAMF client as a part of the DEP enrollment process.

2nd - My users DO NOT log into their Macs using Active Directory credentials - they log in with local user accounts.

3rd - Apple Enterprise Connect gets installed as part of the JAMF deployment process.

4th - Users connect to the network either locally or over VPN. Users then log into Apple Enterprise Connect using their Active Directory credentials. This is where the kerberos authentication takes place. Apple Enterprise Connect also synchronizes the user's local user account password with their Active Directory account password. The user's local Mac keychain is updated as a part of this process.

Hope this clarifies. ;-)

@cainehorr Thanks but that falls in line with what I already assumed. In reading the workflow you mentioned above I didn't read it the same way though which is why I asked. You mentioned the user logging in with AD credentials before the jamf agent was installed. Did I miss something there?

At any rate there's been some thought put into using it. The biggest issue I've been told that it might not be best for us is that it's not designed to be used with multi-user systems. Most users have their own system but there are a few used by multiple people.

@jhuls

Ah - I see the discrepancy that is tripping you up...

Let me clarify...

When you deploy a DEP enabled device, the user must authenticate before the remainder of the initial Apple setup process will continue. This authentication process takes place either through JAMF's internal user directory or another directory service (such as LDAP); in my case, Active Directory.

DEP then calls home to Apple. Apple recognizes the devices as belonging to your company. Apple also knows what your MDM solution is. Apple calls home to your MDM. MDM confirms the username and password via your directory service. Once authenticated, your MDM tells Apple that all is well with the world. Apple reports back to the DEP enabled Mac and Bob's your uncle. It's essentially a cloud-based version of "Golden Triangle".

Here is where your missing link resides...

Once authenticated, the Apple setup process will continue and the user is prompted to create a local user account on the Mac... The username and password fields are already filled out using the credentials as submitted to DEP, but even though they "look" like your AD/LDAP credentials, they are actually just being applied to a local account.

Take note - the user can still change the local username and password at this point...

Once the user submits this info, the Apple Setup process creates the local account and the desktop rears its head.

Once Apple Enterprise Connect (AEC) is invoked, the user types in their network (LDAP, AD, etc.) username and password. AEC guarantees that the local account (regardless of username format) and the AD/LDAP account passwords are synchronized. And because AEC is now active and logged in on behalf of the network user, your Mac acquires a kerberos ticket granting ticket.

Hope this further clarifies...

So as you see, my workflow is sound... Until now, I hadn't broken down (in detail) the relationship between the Mac, Apple (DEP/APNS), and the MDM.

@jhuls

As for multi-user systems - I can't speak to that as I have not personally had to deal with that in my environment.

That's a great question for @rjlemmon (Rick Lemmon)

@cainehorr Ah, ok...that's making more sense now and, again, falls in line with what I know. Your terminology stating they logged in might be more accurate to say authenticates with AD credentials. It also threw me because we don't have authentication enabled for DEP Macs here. I simply forgot about that feature.

Either way all is good...thanks for getting back to me. It would be good to hear from someone on the multiuser aspect. I received that information from an Apple engineer but he wouldn't go into more detail other than to say that EC might not be a good solution for us.

Does EC require JAMF to configure for a single workstation?

@fseaton Enterprise Connect is configured by Apple professional services in a 2 day visit.

For just one workstation I'd look into NoMAD

https://nomad.menu

I agree nomad is the way to go.

Thanks for the quick replies. I guess I should have given more background.

We have multiple Macs, and our central IT is "purchasing" professional services from Apple to configure EC, so we will have access to EC. The question is still whether JAMF is required to configure it as we don't use JAMF to manage the few Macs we have in our area.

thanks again.

Jamf shouldn't be requried to config EC. If anything it's configured by a Plist which you could drop or install on each machine.

An MDM is not required to deploy or configure EC. EC may be configured manually or by way of a shell script. Use of an MDM (including Jamf PRO) simplifies the deployment and configuration.

Thanks, again, for the quick responses. I was assuming that JAMF wasn't required, but someone someone on campus had told me they thought JAMF was required and I just couldn't believe that was the case.

Thanks!!

Hello
Hoping for some assistance. We just implemented EC in to our environment with the help of an Apple engineer for two days and I am currently testing it with a small group of users. One of the improvement I will like to implement is mapping different network shares a user has access to by using their AD group memberships rather than user adding them in manually after EC is configured on their mac. We have an environment where some of our macs are joined to the domain and some are not.

Has anyone been able to map network shares using EC according to users AD group memberships on a non AD bound Mac?

Thanks

@Reboot2611

Yes & Sorta.
Apple EC Support Enginner should continue working with you via Email/Webex/ect. To continue expanding your deployed EC capabilities.

1. Yes: Simple network paths that all users use smb://shareserver/shares/ is really simple to setup & just works.
2. Sorta: The more complex user based shares (ex: smb://usershare/%username%/) require some special scripts to be built. We had some the EC Engineer code this out for us. Reason i say this SORTA works.. It fails to actually work the 1st time for 1/4th of my users.. And the EC Engineer is still trying to figure out why. And due to this 1 time failure the EC Agent totally doesn't work for said User until the usersEC.plist is blown away & the script is ran again to reconfigure correctly... Fun times.

Users can also add their OWN pre-mapped shares anytime they want.. unless you lock it out of their hands.

The other fun part is EC password changes work better than ADPassMon but still not 100%.. Somehow some way our users still manage to have stuff saved in their Keychain that we simply cannot fix. And also some times EC doesn't change the Users Keychain Password (Local User = AD User) this has to be resolved with a manual password reset to Keychain.

@JSnell Thank you for your reply. Is it possible for you to share the Script thats not fully working for your environment? I am not getting much assistance from my EC Support Engineer if I can get some ideas from your script to get started it will be very helpful for me. Thanks

How do I contact Apple Pro Services to start looking at EC? We don't purchase many macs, however, that is increasing as time goes on. The individuals I have contacts for at Apple have not got back to me since I e-mailed them. @rjlemmon, you still watching this thread?

Thanks!

Hi @Kedgar I have sent this link to rick and another guy. hopefully they can help you. they are awesome people

@Tigerhaven Thank you so much!

My 2¢...

As an Enterprise Connect customer, I find that the engagement pays dividends that far outstrip the cost or time involved or the feature set of the Enterprise Connect app.

Through the engagement, we learned how and why Enterprise Connect works, as well as a deeper understanding of the macOS AD tools.

As Jamf customers, maybe think of it as an 'AD jumpstart' that comes with a free app.

@milesleacy

That is an excellent way to look at it.

As a former Apple Enterprise Connect subscriber, I would agree with your view point 100%!

@Kedgar

Just sent you my email address via LinkedIn.

Having completed engagement, we are now happily running Enterprise Connect within IT and are prepping for a full rollout. Considering how well this is currently working, I'd love to see this get built into the OS later!

@Chris_Hafner - having to support a new client with this. Have you seen any issues with FV and password changes? I don't have a lot fo info yet, but they are trying to escrow personal FV keys into JSS and there's some mention of the passwords getting out of sync not unlike AD accounts if you change the PW on a website, etc.
Don't have a lot of info yet, and you likely don't either, but I have no hands-on with this yet...glad it seems to be working for you.

What specifically are you hearing about? So far in my testing, FV accounts and recovery keys work just fine. Personal keys are being properly stored and are usable at least in my limited testing. I'll have to test on the bench and get back to you.

Whom would I get in touch with at Apple to get more information about an engagement for EC? I have sent a few emails to consultingservices@apple.com, but I haven't received a reply. Thanks in advance.

Grab your Apple Rep or contact Apple Professional Services. They can sort you out.

@Chris_Hafner send a message to @rjlemmon

@scottb I have run into this issue with macs that are bound to AD... even with NoMad installed and configured. I think the secret to fixing password sync issues for FileVault 2 and KeyChain is to not bind your macs. This is something we are going to be looking at for my company... in addition to Enterprise Connect.

@Kedgar Agreed on all sides. If you can stop binding, do so! Also, I think you meant for @paulschatz to contact @rjlemmon ;-)

@rjlemmon : You should post an update to your message at the top of this thread. It says, "Enterprise Connect is only available to USA based customers."

But I was in your webinar yesterday, and either you or one of your co-presenters mentioned that it's available in several countries now . (And am I right in remembering that it's now localized for some other languages?)

Oh, and I hope you've recovered from your cold!

Thanks much @Chris_Hafner and @Kedgar. Appreciate the feedback. I think it's settled out with EC and no more AD binding...

It's a beautiful thing! Now I just need to figure out the best way to manage user names "in my environment".

@Chris_Hafner this was provided as a way to get names. Not sure if that's what you meant by "manage user names" but here 'tis:

klist|grep Principal:|awk {'print $2'}|sed 's/@.*//'

"The easiest way to do this is to extract the user name out of the Kerberos ticket that EC gets." (using the above).
If this was already known to you, apologies. I have not tested it yet.

Running EC in production since 10.11 and it has been reliable. Thank you @rjlemmon

Any thoughts on the best way to identify whether users are logged into EC? Just because the app has been installed doesn't mean users have gone through the step of an initial sign in. Would be nice to have an extension attribute.

I was thinking about this today too @macmanmk we have a lot of people that have it installed but haven't logged in.

I haven't created it as an EA yet but something like this would show if it's running or not.

#!/bin/bash
/usr/bin/pgrep "Enterprise Connect"
if [ $? -eq 0 ]; then
    echo "<result>running</result>"
else
    echo "<result>not running</result>"
fi

@macmanmk

We use a launch agent in /Library/LaunchAgents to start the app at login and keep it alive. So even if the user quits EC, it will relaunch and the can't stop it!

@ooshnoo I tried your approach and it keeps EC running, but what we're seeing is people just close down the login window without actually logging in. The launch agent keeps EC running in the background but doesn't reopen the login window until they reboot or log out.

Has anyone figured out a way to prevent the user from closing the window until they've logged in?

Curious to know if 1.6.1 (4) is the latest version of EC. Also has anyone encountered any issues with EC with the following:
- AD 2012 R2 Standard
- AD Schema version 69

Thanks in Advance

@lgt28jr I think 1.8 (4) is the latest version of EC and no issues here with AD schema 69.

@jason_d are you using EC? If so is 1.8(4) the version you are using? I was told I would get emails when EC was updated but haven't received any emails since April of a newer version being released. I will reach out to my Apple contact who did the onsite with us to see if they did release a newer version. Thanks

@rjlemmon So...Enterprise Connect (EC) and no AD Binding....and HR/Legal/Security phone call to lock out an AD account....go.

1. If a user's AD account is locked out as per HR/Legal/Security, how does EC behave when the user returns from lunch, and during their lunch, their AD account was locked out?
2. If a user moves to another Mac where they logged on before, and their AD account is locked out, will they be able to log in to the locally cached account (mobile account)?
3. If a user knows he/she is locked out of their AD account, are they able to walk over to a computer they logged into before, unplug it from the network, and log in with their last cached password? Read: circumvent AD lockout.

We haven't gone down the EC road, figured I'd post here rather than wait for the next monthly EC web meeting, where the question might not get answered, or might lose context if follow up questions are not possible.

TIA,
Don

@lgt28jr yes we are running 1.8.0(4) I would follow up with Apple. We got an email when it came out not that long ago.

hi @rjlemmon , a couple of questions

• Our business is based in the US, but have offices across the globe...will this still function for our international offices or does it depend on infrastructure set-up (how/what/etc)?

• Do users have one or two passwords? For example if we only had a local user account and we supply them company credentials (email/shares/etc). what password is used to log into the Mac, unlock file vault, etc?

Thank you

@donmontalvo

1.) It alerts the users via Notification Center like any other alert.
2.) Yes
3.) Yes

EC takes no action other than an alert on an account being locked in AD.

@walt

1.) As long as it is AD then it should work. If there are multiple domains globally you might need to have different configurations for these different regions.

2.) They can have as many as two password but its up to you the admin and the user to reduce this to one. EC can have the user sync their AD password to the local account if you configure it. This can't be forced so up to your users to comply.

@macmanmk

If this file

$HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist

doesn't exist then Enterprise Connect has never been logged into. Key off of that but I'd actually take it a step further and even if the prefs exist verify that it is actually connecting.

defaults read $HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected

And you can easily convert that to epoch for easy comparison and see if they've check in in the last X days

timeStamp14dBack=$(date -v-14d -u +"%s")
dateLastConnecedEpoch=$(date -j -f "%Y-%M-%d %T" "$($HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected | cut -d " " -f1,2)" "+%s")

if [[ $dateLastConnecedEpoch -lt $timeStamp14dBack ]]
then
echo "they have connected in the last two weeks. good user"
else
echo "they have not in a couple weeks. bad user."
fi