Hi all,
This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.
Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:
Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.
It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.
Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.
There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.
You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.
I'll be following this thread, so please respond with any questions.
So itupshot:
This might not have all the answers but sure helped me a lot
http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/
@geoffreykobrien I'd be interested in taking a look at your script as well.
I have looked into ADPassMon, but I'm still not sure it'll help us get rid of the "Local Items" keychain issue.
@KDE82 Thanks for the link. That was a great presentation. I'm going to see if the GitHub for it is still online.
@itupshot if a user forgets their old keychain password.
ADPassMon will reset their login.keychain & delete their local items & then restart their Mac.
There is some more work to be done, via adding some features from keychainminder
Is EC available to US customers that have a worldwide presence? Are there any restrictions on its use outside the US?
What about use with multiple AD forests/domains? Is that handled when professional services configures it?
Based on the first post on this thread, one of the last sentences:
Enterprise Connect is only available to USA based customers
Emphasis is mine.
I think some of the Apple folks would need to confirm, but I read that as limited to companies that have their main headquarters in the US, not necessarily that it can only be installed in US locations. At least I would hope that's the only limitation, since many companies that could use this would be in the same situation; US based, but have offices in many locales around the world. It probably has to do with the on site professional services visit to get it set up.
For a non-bound Mac with a local account, does EC allow a user to print to a Windows print server without authenticating? I'm trying to figure out how to get away from IP based printing.
Also, for those posting to get updates on the thread - you can instead add a bookmark by clicking the plus sign at the top right and you'll get all email updates. :)
chris
I will also be very interested in EC once it's available to higher ed.
Does anyone have any updates on Enterprise Connect? Has anyone purchased and implemented it? What are your opinions?
Hi Matthew,
I purchased it and implemented it.
The “purchase” was more a 2 days contract for Apple Professional Services. The actual setup lasted an hour. APS engineers are very knowledgeable and super nice. Enterprise Connect doesn’t modify your infrastructure.
If you have a 'standard' AD setup, EC should integrate very easily. Otherwise, the 2 days might come in handy :)
If you want to test before, download and install KerbMinder. If it works straight away, chances EC will work too.
To be honest, in my case, EC wasn't better than KerbMinder, and I lost the possibility to tweak it myself. But the EC team is great and you get great Apple support.
Hi ftiff,
Have you tested how well it works for unbound machines?
How do your users like it?
Are there any features that you know Apple wants to add to the product?
Hey @mlavine
Yes, we use it exclusively on unbound machines.
Our users barely notice it. To be honest, they don't care. They have single sign-on, that all they want to know.
Yes, I have quite a few features I'd like to add:
- remove the GUI, it's not needed and users don't like to have lots of icons in the menubar. It feels like windows
- push username and realm from a profile
- use AD login and password from the one entered in SetupAssistant. I hope this will come if it ever become native to OS X
- open a per-app VPN to get the kerberos ticket when outside of corporate network
But again, it works great.
I work in government. Would this work with PIV/CAC enabled accounts? Can this support PIV/CAC logins to network shares, etc. How would that work with remote users? I can use via VPN.
This part is directly at Apple person that posted this. Please bring back PIV/CAC support in the OS natively. When it was dropped Macs in government were not that much. Nowadays, Macs are infiltrating at an exponential rate. Eliminate the 100% need for me to bind the Mac to AD and there will a whole lot more real fast. Yes, I have put feedback in on Apple page. I am just trying to get this heard wherever I can.
Does this tool work only with AD domains or does it also work with OD ?
Why not just use Centrify? We use it as we purchased it prior to Apple releasing this but you can manage it all through GPO's, SSO, etc. Havent looked at pricing between the two but almost everyone from a security perspective knows Centrify.
https://www.centrify.com/
https://www.centrify.com/products/identity-service/mac-management/
So far as I remember there is a significant price difference, but I don't have all those numbers off hand!
@rkovelman Centrify is about $90/seat IIRC. How much does the Apple Enterprise Connect cost after the $5K integration? Maybe the cost of EC would make the difference for certain organizations.
@bradtchapman Enterprise Connect is just the one-time professional services fee to configure it. It's also supported by Apple Care OS Support, so that's a plus too.
@bradtchapman As far as I know you only pay once for Enterprise Connect and that is the initial $5500.
You get what you pay for. I haven't seen it but FWIW people have given it bad reviews online. Still too new and missing too many functions.
From the standpoint of EC is really 2 days of professional services with Apple and an App that would probably help in your environment, the cost is pretty low, IMHO. What functions are you looking for??
@rkovelman bad reviews online? Where exactly are these reviews you're referring to? Given this isn't something sold on the MAS or other public channels, I'd love to see such "reviews". Especially since as you say, you "haven't seen it" Or is this the old "I read it somewhere on the internet so it must be true" meme?
We have purchased EC and had Apple add the ability to sync the AD password with the local password as this was the real issue keeping us from using the product. We are still in the development phase but we plan to reengineer our whole password policy and account enforcement around this app. It doesn't do everything but it is simple, lightweight, inexpensive, and being actively developed.
What i'd really like to see a Keychain remediation feature built-in to it, like ADPassmon...
That would be nice, for sure. Until then it can fire off a script when a password change is made and you could do that now for the keychain items you want. They have an example script posted. We are using that script to post the new creds to our password sync took website.
