About Enterprise Connect

For those who are interested... My Apple Rep mentioned that they are having a call next Friday the 13th to go over Enterprise Connect with a Q/A session at the end.

@mm2270 You're correct on both things. If you're logged into your Mac with an AD mobile account, it'll pick up the username and domain at first launch. The user just needs to enter their password and sign in. They don't need to sign in again unless their password changes or there is some problem with their AD account. For the most part, once its set up, the app runs in the menu bar and does its thing without user intervention. Users will just see the color of the app's icon change. It's yellow when your Mac isn't on the corporate network and green when it is.

And yes, the application can also be configured with a configuration profile. You can configure most settings using the Custom Settings payload of a profile. Casper does a great job of deploying this profile. Yes, EC does the right thing when a setting is configured with a profile - the configured settings get disabled in the UI so the user knows they cannot be changed.

Speaking of automation, Enterprise Connect can also execute a script whenever it goes through its connection process. We intended this to be used to audit a system prior to connecting. Think of something like host checking in a VPN client. For example, you could write a script to check if FileVault is on. If it's not on, and the script has an exit status != 0, Enterprise Connect stops the connection process, tells the user their system isn't compliant and to call the help desk. Really though, you could make the script do whatever you want it to. The only catch is that the script runs as the logged in user, so you can't do anything as root.

Bonus item - the app is also AD site aware. EC chooses a random domain controller when doing a site lookup, but once EC has determined your site, it uses local domain controllers for LDAP queries, Kerberos, etc. Again, your Mac does not need to be domain bound for this to work.

@ShaunM9483 Correct, we're running a WebEx on 13 Nov on Enterprise Connect. If anyone would like to learn more and get the information for this session, please email me at "jay" "eff" "enn" (sound those out) @apple.com and I can get you the registration link.

I'm also happy to provide an introduction to your account team of you don't already know them.

@jarednichols @rjlemmon It would be fantastic to see this outside of the US soon. I spoke to our Apple SE here about Enterprise Connect as we currently develop our own tool to perform these functions. If there is anything we can do to help untie it from Professional Services as we do not have this service in Australia please point me in the right direction. I know that many other Universities here would be interested based on the discussions we have had around our in-house tool. Is the WebEx available to people outside the US?

I also share @davidacland and @bentoms views here. This should really be part of the OS especially if new deployment methods are to use DEP (which I prefer!).

Wow!! This really needs to be included in the OS or at the very least made available outside the US.

I agree that it'd be nice if it was included in the OS... but there's enough uniqueness in everyone's AD deployments to make that troublesome. I've got my fingers crossed, and I've emailed to get in on the WebEx.

@rjlemmon How quickly will Enterprise Connect expected to get updated after a major OS release? Is the expectation within days or quarters of the release of something like 10.12 for example.

Does EC do anything for keychain issues for bound systems?

Very happy to hear Apple are developing in this area and would love to see this built in and to be made available "as is" for us all to try it out.

All,

Thanks a lot for the feedback so far.

@cwaldrip We've been staying on top of OS releases. For example, with El Capitan, EC was ready to go well before it shipped. That's our goal going forward.

@psmac It depends. By "keychain issues", I assume you're talking about the Keychain password falling out of sync if a user changes their AD password somewhere other than their Mac. If a user does this, Enterprise Connect won't get the Keychain password back in sync.

However, if your user either uses Enterprise Connect to change their password, or uses a local account + Enterprise Connect, you should be okay. If you use EC to change your password while logged in with an AD account on a bound system, EC will change your AD password, mobile account password, FileVault password and the password for your default keychain (usually login). Using a local account sidesteps the issue entirely.

I think I understand some of what Enterprise Connect is about now after reading this thread and a previous one from back in June. We are required to bind every computer to AD, and we get all our password expirations taken care of with ADPassMon. You say it can be used to mount AD Network home shares. Can it also mount all the network drives (H: M: O: Q: R:...) the users would see if they logged in on a Windows PC without the user having to know the server path? Unless there's some other magic going on behind the curtain, I don't see how paying $5500 for this tool would benefit us.

And why the secrecy? Why is there no public facing webpage to explain this product?

Does EC still not change the password of a local non-AD account when the AD account password is updated through EC? If not, is this in the roadmap or something that could be added as a one off to the product during an onsite?

@rjlemmon Do you offer EC for Education? If not, do you have any plans?

Rick will need to respond, but I was not under the impression that by "Enterprise" it meant not for education. I can't see why Apple would exclude education from being able to use it.

Of course, the price tag may make it a little harder to swallow for smaller EDU environments. Maybe not as much for higher ed.

@Eigger , @rjlemmon can probably confirm this, but Apple came out to Boston a few weeks ago and did a "what's up and coming" from Apple to Higher Ed. It was all college folks there and we were all introduced to DEP, VPP, & EC and asked to reach out to our reps to get on the list. We haven't gotten pricing on this yet, so it is not clear if edu will get special pricing on it. My guess is everyone will pay the same price via Apple Professional Services.

@AVmcclint Enterprise Connect can mount a list of shares upon connecting to the corporate network (ethernet, Wi-Fi, VPN). This can list can be entered by the user or pre-configured by IT.

Does it get the list of shares by processing the login script defined by Active Directory? or would we have to manually edit the list for each and every user?

@AVmcclint Enterprise Connect does not process a Windows login script. You need to write the share paths to a plist - this can be done programmatically. If you already have the logic written in your login script, you just need to convert that to a shell script which writes the share paths to the plist.

ideally what we are hoping we can do is enter the smb mount point of our DFS server into EC. Which would be the same for everyone. The actual shares are configured in windows server per user (or AD security group) We've been working towards this (DFS) for a couple years, because to my knowledge Mac & linix have no way of parsing a windows logon script (without the help from $centrify) Unless Enterprise Connect can do this? We are currently a 60% Windows & 40% Mac environment so I'd rather not replicate all of our shares in Casper.

@rickwhois I have a script that looks up the group memberships a user belongs to and performs if then mounts based on said memberships if you're interested.

@geoffreykobrien sure, i could always use more scripts! thanks!

We took delivery of EC last week. As we got towards the end of the year, and had extra budget money left over, it was an easy sell to save me time doing other things. We looked at it not as $5500 for the App, but really as just PS time.

@rjlemmon Hey, I tried talking with my account rep and she has no idea what I'm talking about. Anyone specific I should contact with questions?

very interesting development; Enterprise connect.

For those that are using this technology, it only works with local accounts?

Or integrates into AD/OD centralized management accounts on the Mac systems with regards to kerbinization and password syncing (similar to say ADPassMon/Kerbminder combo that others have mentioned)?

I sent a email to consultingservices@apple.com, haven't heard anything back yet. Our Jamf/CS rep did state it was legitimate, and sounds pretty cool overall.

But as with all things Mac... proof is in the pudding.

Thanks

Also posting here to see updates, would be quite interested to see this in countries other than the US and as a stand alone app not needing the Apple pro services visit.

This is the first time I read of any of this. It sounds interesting. Our Macs are currently bound to AD using the OS's AD plugin. We bind them as part of the Casper Imaging process.

One of my biggest challenges is getting our Mac users to change their AD password before it expires. They don't log out, no matter how hard I try to convince them to. Because of this, they don't see when their password expires, and we get situations when it expires while they're out of the office, and they're stuck for a while.

Secondly, after they change their password, we get those annoying "Local Items" keychain prompts that never go away unless we manually delete that folder from their ~/Library/Keychains folder and restart.

Our passwords expire every 90 days, and people never remember what they need to do to reset them.

Will this tool get rid of those "Local Items" keychain prompts?