About Enterprise Connect

So itupshot:
This might not have all the answers but sure helped me a lot http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/

@geoffreykobrien I'd be interested in taking a look at your script as well.

I have looked into ADPassMon, but I'm still not sure it'll help us get rid of the "Local Items" keychain issue.

@KDE82 Thanks for the link. That was a great presentation. I'm going to see if the GitHub for it is still online.

@itupshot if a user forgets their old keychain password.

ADPassMon will reset their login.keychain & delete their local items & then restart their Mac.

There is some more work to be done, via adding some features from keychainminder

Is EC available to US customers that have a worldwide presence? Are there any restrictions on its use outside the US?

What about use with multiple AD forests/domains? Is that handled when professional services configures it?

Based on the first post on this thread, one of the last sentences:

Enterprise Connect is only available to USA based customers

Emphasis is mine.

I think some of the Apple folks would need to confirm, but I read that as limited to companies that have their main headquarters in the US, not necessarily that it can only be installed in US locations. At least I would hope that's the only limitation, since many companies that could use this would be in the same situation; US based, but have offices in many locales around the world. It probably has to do with the on site professional services visit to get it set up.

For a non-bound Mac with a local account, does EC allow a user to print to a Windows print server without authenticating? I'm trying to figure out how to get away from IP based printing.

Also, for those posting to get updates on the thread - you can instead add a bookmark by clicking the plus sign at the top right and you'll get all email updates. :)

chris

I will also be very interested in EC once it's available to higher ed.

Does anyone have any updates on Enterprise Connect? Has anyone purchased and implemented it? What are your opinions?

Hi Matthew,

I purchased it and implemented it.

The “purchase” was more a 2 days contract for Apple Professional Services. The actual setup lasted an hour. APS engineers are very knowledgeable and super nice. Enterprise Connect doesn’t modify your infrastructure.

If you have a 'standard' AD setup, EC should integrate very easily. Otherwise, the 2 days might come in handy :)
If you want to test before, download and install KerbMinder. If it works straight away, chances EC will work too.

To be honest, in my case, EC wasn't better than KerbMinder, and I lost the possibility to tweak it myself. But the EC team is great and you get great Apple support.

Hi ftiff,

Have you tested how well it works for unbound machines?

How do your users like it?

Are there any features that you know Apple wants to add to the product?

Hey @mlavine

Yes, we use it exclusively on unbound machines.
Our users barely notice it. To be honest, they don't care. They have single sign-on, that all they want to know. Yes, I have quite a few features I'd like to add:
- remove the GUI, it's not needed and users don't like to have lots of icons in the menubar. It feels like windows
- push username and realm from a profile
- use AD login and password from the one entered in SetupAssistant. I hope this will come if it ever become native to OS X
- open a per-app VPN to get the kerberos ticket when outside of corporate network

But again, it works great.

I work in government. Would this work with PIV/CAC enabled accounts? Can this support PIV/CAC logins to network shares, etc. How would that work with remote users? I can use via VPN.

This part is directly at Apple person that posted this. Please bring back PIV/CAC support in the OS natively. When it was dropped Macs in government were not that much. Nowadays, Macs are infiltrating at an exponential rate. Eliminate the 100% need for me to bind the Mac to AD and there will a whole lot more real fast. Yes, I have put feedback in on Apple page. I am just trying to get this heard wherever I can.

Does this tool work only with AD domains or does it also work with OD ?

Why not just use Centrify? We use it as we purchased it prior to Apple releasing this but you can manage it all through GPO's, SSO, etc. Havent looked at pricing between the two but almost everyone from a security perspective knows Centrify.

https://www.centrify.com/

https://www.centrify.com/products/identity-service/mac-management/

So far as I remember there is a significant price difference, but I don't have all those numbers off hand!

-ignore-

@rkovelman Centrify is about $90/seat IIRC. How much does the Apple Enterprise Connect cost after the $5K integration? Maybe the cost of EC would make the difference for certain organizations.

@bradtchapman Enterprise Connect is just the one-time professional services fee to configure it. It's also supported by Apple Care OS Support, so that's a plus too.

@bradtchapman As far as I know you only pay once for Enterprise Connect and that is the initial $5500.

You get what you pay for. I haven't seen it but FWIW people have given it bad reviews online. Still too new and missing too many functions.

From the standpoint of EC is really 2 days of professional services with Apple and an App that would probably help in your environment, the cost is pretty low, IMHO. What functions are you looking for??

@rkovelman bad reviews online? Where exactly are these reviews you're referring to? Given this isn't something sold on the MAS or other public channels, I'd love to see such "reviews". Especially since as you say, you "haven't seen it" Or is this the old "I read it somewhere on the internet so it must be true" meme?

We have purchased EC and had Apple add the ability to sync the AD password with the local password as this was the real issue keeping us from using the product. We are still in the development phase but we plan to reengineer our whole password policy and account enforcement around this app. It doesn't do everything but it is simple, lightweight, inexpensive, and being actively developed.

What i'd really like to see a Keychain remediation feature built-in to it, like ADPassmon...

That would be nice, for sure. Until then it can fire off a script when a password change is made and you could do that now for the keychain items you want. They have an example script posted. We are using that script to post the new creds to our password sync took website.