While it would be nice for the Apple Professional Services team to fix the Keychain issues, I don't think it's fair for them to do the job of a different internal Apple team..

Insert rant about how the the keychain issues should have been fixed years ago and that if somebody in Apple could write in "normal" english 3/4 of everyones tickets including Apples would disappear if the pop up sync window just said please enter last password. " Got to love that Apple ease of use"

C

I couldn't agree more with @gachowski's comment above. Its utterly astounding that that dialog has not been revamped by now. Its the single most confusing dialog Apple has in their OS and bafflingly continues to have in there. I can only imagine how many complaints Apple has received over the years about this and they've yet to change it.
But, you can bet Apple will have designed some new system font for 10.12, or recreated all the apps icons or something, because, you know, that's actually what's important after all.

I just sat through the Web Ex on this and it seems that it can be boiled down to a few things:

• The cost is really going towards having an engineer onsite for 2 days
• It helps sync local items (keychain) to what the AD password is
• Reminds to change AD password without logging out
• Maps drive
• Can trigger scripts to run

It doesn't necessarily seem like a game changer or a magic bullet, but a nice little in-between for the computer and the domain controller.

Anyone that has purchased this at their organization verify this? Is there a solid benefit in implementing this?

@CorpTech EC does not directly sync local items with the AD password. What it can do is run a script after an AD password change. They have an example that prompts the user for access to the EC keychain item thus retrieving the password and from there you can script updates to keychain items and other things. All of the other items are correct.

@iJake is that scripting process and creation where having the engineer onsite comes in?

@CorpTech Yes, they would definitely help craft those with you.

@mm2270 Do some googling and you will come across it...If you ever want to find negative reviews on a product the internet is littered with it. Looking for a good one, not so much.

We purchased EC and use it on all of our Domain bound Macs. Our users seem pretty happy with the tool as it syncs the Keychains with the AD password at time of password change with out having to logout and log back in. I also like the fact that if you are not on your corp network it will give you an alert saying to connect to corp network first before trying to change your password. It also mounts the network drives after the login has happen and the user gets control of the screen, so this doesn't tie up or slow down the login process, which I have seen when trying to map drives at login. Furthermore, it gives a nice pop up in the notification center letting users know their password is going to expire.

The only thing that we still have issues with is Macs falling off the domain rendering EC useless. So I wrote a long script that checks if the machine is bound to AD, if the AD keychain is present, and if the machine is actually still in AD. If any of the test fails. It launches my AD binding policy to rebind the machine to the network. I have this script run once a week on all machines.

Hope this helps out!!!

Shawn Goetz

Hey @sgoetz

Not sure if this will help, but you can look into the password interval for dsconfigad. From what I understand by default, unless you change it, the Mac will change its Machine AD Password every 14 days. You can change it to 0 (never changes) or to a longer interval. Something to consider.

dsconfigad -passinterval 0

I'm guessing if the password change fails it becomes unbound.

So if I have read through all of these comments correctly, if password changes are done through a service external to the Mac, the Keychain still gets locked and I still have to walk my users through deleting their keychain and restarting to create a new one?

When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

The Keychain concept is a valid (dated) consumer feature developed by a Consumer Electronics company.

As admins for Enterprise users, we will always be circling the consumer features trying to engineer solutions to bend them to fit our needs.

It wont be easy to drop Keychain as everything is stored in there, including the Kerberos ticket and password. Keychain I would hope after 15 years or whatever is a hardened app, its just trying to figure out how to "mess" with it to do what you need it to do.

@rjlemmon Can you give me a number to call? I seem to be getting bounced around at Apple inc.

Can anyone?

@Mhomar Call your Apple sales rep, they should be able to get you squared away.

I've called and emailed as well and have never been able to get anyone at Apple to contact me. Considering that we are a huge enterprise company - and we PAID for a Readiness Review 2 years ago (we received the report, but my requests to schedule the actual presentation were never returned) my management is not very happy with Apple. We keep getting reassigned to different reps and engineers and basically it is a fight just to allow Apple products in the environment. If Apple really wants to start supporting their enterprise customers, then they might want to actually start supporting their enterprise customers.

@pwb is the guy to contact.

Hey @jason.bracy. Sorry to hear that. Shoot me an email. pwb at apple.

@jason.bracy: I will send you an email directly. Sales team do get moved around as in every organization but the Apple PS team is still here to support you. Larry who performed the Review and Tracy M. are still available anytime you need help. Obviously Peter who responded is also on our team. Thanks. JD Mankovsky - Sr. Manager - APS

Thanks @jdman

@pwb would it be possible to send more information about Enterprise Connect?

I've contacted the Business Team at the local Apple Store and let's say.... they had no idea.

@chad.fox Please send me an email to lrc at apple.com and I will send you over more information.

Thanks
Larry

An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr

Register
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728

I don't think I'll be able to watch much of this as it conflicts with another meeting I have scheduled.

It looks like it would be a fantastic solution to add to our environment, except for the price tag that's inexplicably on it.

Apple Enterprise Connect Demo 13
Tuesday, July 19, 2016
12:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr 15 mins

Register

After your request has been approved, you'll receive instructions for joining the meeting.

@lcutrell Please send more info about Enterprise Connect.