Skip to main content

Hi all,

This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.

Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:

Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.

It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.

Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.

There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.

You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.

I'll be following this thread, so please respond with any questions.

@Tigerhaven Thank you so much!

My 2¢...

As an Enterprise Connect customer, I find that the engagement pays dividends that far outstrip the cost or time involved or the feature set of the Enterprise Connect app.

Through the engagement, we learned how and why Enterprise Connect works, as well as a deeper understanding of the macOS AD tools.

As Jamf customers, maybe think of it as an 'AD jumpstart' that comes with a free app.

@milesleacy

That is an excellent way to look at it.

As a former Apple Enterprise Connect subscriber, I would agree with your view point 100%!

@Kedgar

Just sent you my email address via LinkedIn.

Having completed engagement, we are now happily running Enterprise Connect within IT and are prepping for a full rollout. Considering how well this is currently working, I'd love to see this get built into the OS later!

@Chris_Hafner - having to support a new client with this. Have you seen any issues with FV and password changes? I don't have a lot fo info yet, but they are trying to escrow personal FV keys into JSS and there's some mention of the passwords getting out of sync not unlike AD accounts if you change the PW on a website, etc.
Don't have a lot of info yet, and you likely don't either, but I have no hands-on with this yet...glad it seems to be working for you.

What specifically are you hearing about? So far in my testing, FV accounts and recovery keys work just fine. Personal keys are being properly stored and are usable at least in my limited testing. I'll have to test on the bench and get back to you.

Whom would I get in touch with at Apple to get more information about an engagement for EC? I have sent a few emails to consultingservices@apple.com, but I haven't received a reply. Thanks in advance.

Grab your Apple Rep or contact Apple Professional Services. They can sort you out.

@Chris_Hafner send a message to @rjlemmon

@scottb I have run into this issue with macs that are bound to AD... even with NoMad installed and configured. I think the secret to fixing password sync issues for FileVault 2 and KeyChain is to not bind your macs. This is something we are going to be looking at for my company... in addition to Enterprise Connect.

@Kedgar Agreed on all sides. If you can stop binding, do so! Also, I think you meant for @paulschatz to contact @rjlemmon ;-)

@rjlemmon : You should post an update to your message at the top of this thread. It says, "Enterprise Connect is only available to USA based customers."

But I was in your webinar yesterday, and either you or one of your co-presenters mentioned that it's available in several countries now . (And am I right in remembering that it's now localized for some other languages?)

Oh, and I hope you've recovered from your cold!

Thanks much @Chris_Hafner and @Kedgar. Appreciate the feedback. I think it's settled out with EC and no more AD binding...

It's a beautiful thing! Now I just need to figure out the best way to manage user names "in my environment".

@Chris_Hafner this was provided as a way to get names. Not sure if that's what you meant by "manage user names" but here 'tis:

klist|grep Principal:|awk {'print $2'}|sed 's/@.*//'

"The easiest way to do this is to extract the user name out of the Kerberos ticket that EC gets." (using the above).
If this was already known to you, apologies. I have not tested it yet.

Running EC in production since 10.11 and it has been reliable. Thank you @rjlemmon

Any thoughts on the best way to identify whether users are logged into EC? Just because the app has been installed doesn't mean users have gone through the step of an initial sign in. Would be nice to have an extension attribute.

I was thinking about this today too @macmanmk we have a lot of people that have it installed but haven't logged in.

I haven't created it as an EA yet but something like this would show if it's running or not.

#!/bin/bash
/usr/bin/pgrep "Enterprise Connect"
if [ $? -eq 0 ]; then
    echo "<result>running</result>"
else
    echo "<result>not running</result>"
fi

@macmanmk

We use a launch agent in /Library/LaunchAgents to start the app at login and keep it alive. So even if the user quits EC, it will relaunch and the can't stop it!

@ooshnoo I tried your approach and it keeps EC running, but what we're seeing is people just close down the login window without actually logging in. The launch agent keeps EC running in the background but doesn't reopen the login window until they reboot or log out.

Has anyone figured out a way to prevent the user from closing the window until they've logged in?

Curious to know if 1.6.1 (4) is the latest version of EC. Also has anyone encountered any issues with EC with the following:
- AD 2012 R2 Standard
- AD Schema version 69

Thanks in Advance

@lgt28jr I think 1.8 (4) is the latest version of EC and no issues here with AD schema 69.

@jason_d are you using EC? If so is 1.8(4) the version you are using? I was told I would get emails when EC was updated but haven't received any emails since April of a newer version being released. I will reach out to my Apple contact who did the onsite with us to see if they did release a newer version. Thanks

@rjlemmon So...Enterprise Connect (EC) and no AD Binding....and HR/Legal/Security phone call to lock out an AD account....go.

  1. If a user's AD account is locked out as per HR/Legal/Security, how does EC behave when the user returns from lunch, and during their lunch, their AD account was locked out?
  2. If a user moves to another Mac where they logged on before, and their AD account is locked out, will they be able to log in to the locally cached account (mobile account)?
  3. If a user knows he/she is locked out of their AD account, are they able to walk over to a computer they logged into before, unplug it from the network, and log in with their last cached password? Read: circumvent AD lockout.

We haven't gone down the EC road, figured I'd post here rather than wait for the next monthly EC web meeting, where the question might not get answered, or might lose context if follow up questions are not possible.

TIA,
Don

@lgt28jr yes we are running 1.8.0(4) I would follow up with Apple. We got an email when it came out not that long ago.

Terms & ConditionsCookie settingsAccessibility statement