Posted on 11-06-2015 12:03 PM
Hi all,
This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.
Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:
Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.
It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.
Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.
There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.
You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.
I'll be following this thread, so please respond with any questions.
Posted on 11-09-2015 12:35 PM
@AVmcclint Enterprise Connect can mount a list of shares upon connecting to the corporate network (ethernet, Wi-Fi, VPN). This can list can be entered by the user or pre-configured by IT.
Posted on 11-09-2015 12:44 PM
Does it get the list of shares by processing the login script defined by Active Directory? or would we have to manually edit the list for each and every user?
Posted on 11-09-2015 01:05 PM
@AVmcclint Enterprise Connect does not process a Windows login script. You need to write the share paths to a plist - this can be done programmatically. If you already have the logic written in your login script, you just need to convert that to a shell script which writes the share paths to the plist.
Posted on 11-09-2015 01:22 PM
ideally what we are hoping we can do is enter the smb mount point of our DFS server into EC. Which would be the same for everyone. The actual shares are configured in windows server per user (or AD security group) We've been working towards this (DFS) for a couple years, because to my knowledge Mac & linix have no way of parsing a windows logon script (without the help from $centrify) Unless Enterprise Connect can do this? We are currently a 60% Windows & 40% Mac environment so I'd rather not replicate all of our shares in Casper.
Posted on 11-09-2015 05:27 PM
@rickwhois I have a script that looks up the group memberships a user belongs to and performs if then mounts based on said memberships if you're interested.
Posted on 11-10-2015 07:45 AM
@geoffreykobrien sure, i could always use more scripts! thanks!
Posted on 11-10-2015 09:07 AM
We took delivery of EC last week. As we got towards the end of the year, and had extra budget money left over, it was an easy sell to save me time doing other things. We looked at it not as $5500 for the App, but really as just PS time.
Posted on 11-20-2015 07:29 AM
@rjlemmon Hey, I tried talking with my account rep and she has no idea what I'm talking about. Anyone specific I should contact with questions?
Posted on 11-25-2015 07:09 AM
very interesting development; Enterprise connect.
For those that are using this technology, it only works with local accounts?
Or integrates into AD/OD centralized management accounts on the Mac systems with regards to kerbinization and password syncing (similar to say ADPassMon/Kerbminder combo that others have mentioned)?
I sent a email to consultingservices@apple.com, haven't heard anything back yet. Our Jamf/CS rep did state it was legitimate, and sounds pretty cool overall.
But as with all things Mac... proof is in the pudding.
Thanks
Posted on 11-26-2015 02:31 PM
Also posting here to see updates, would be quite interested to see this in countries other than the US and as a stand alone app not needing the Apple pro services visit.
Posted on 11-27-2015 07:38 PM
This is the first time I read of any of this. It sounds interesting. Our Macs are currently bound to AD using the OS's AD plugin. We bind them as part of the Casper Imaging process.
One of my biggest challenges is getting our Mac users to change their AD password before it expires. They don't log out, no matter how hard I try to convince them to. Because of this, they don't see when their password expires, and we get situations when it expires while they're out of the office, and they're stuck for a while.
Secondly, after they change their password, we get those annoying "Local Items" keychain prompts that never go away unless we manually delete that folder from their ~/Library/Keychains folder and restart.
Our passwords expire every 90 days, and people never remember what they need to do to reset them.
Will this tool get rid of those "Local Items" keychain prompts?
Posted on 11-27-2015 07:56 PM
So itupshot:
This might not have all the answers but sure helped me a lot
http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/
Posted on 11-27-2015 07:56 PM
@geoffreykobrien I'd be interested in taking a look at your script as well.
I have looked into ADPassMon, but I'm still not sure it'll help us get rid of the "Local Items" keychain issue.
@KDE82 Thanks for the link. That was a great presentation. I'm going to see if the GitHub for it is still online.
Posted on 11-28-2015 12:30 AM
@itupshot if a user forgets their old keychain password.
ADPassMon will reset their login.keychain & delete their local items & then restart their Mac.
There is some more work to be done, via adding some features from keychainminder
Posted on 11-30-2015 06:03 AM
Is EC available to US customers that have a worldwide presence? Are there any restrictions on its use outside the US?
What about use with multiple AD forests/domains? Is that handled when professional services configures it?
Posted on 11-30-2015 07:00 AM
Based on the first post on this thread, one of the last sentences:
Enterprise Connect is only available to USA based customers
Emphasis is mine.
I think some of the Apple folks would need to confirm, but I read that as limited to companies that have their main headquarters in the US, not necessarily that it can only be installed in US locations. At least I would hope that's the only limitation, since many companies that could use this would be in the same situation; US based, but have offices in many locales around the world. It probably has to do with the on site professional services visit to get it set up.
Posted on 11-30-2015 10:20 AM
For a non-bound Mac with a local account, does EC allow a user to print to a Windows print server without authenticating? I'm trying to figure out how to get away from IP based printing.
Also, for those posting to get updates on the thread - you can instead add a bookmark by clicking the plus sign at the top right and you'll get all email updates. :)
chris
Posted on 12-03-2015 12:59 PM
I will also be very interested in EC once it's available to higher ed.
Posted on 02-23-2016 12:46 PM
Does anyone have any updates on Enterprise Connect? Has anyone purchased and implemented it? What are your opinions?
Posted on 02-23-2016 10:14 PM
Hi Matthew,
I purchased it and implemented it.
The “purchase” was more a 2 days contract for Apple Professional Services. The actual setup lasted an hour. APS engineers are very knowledgeable and super nice. Enterprise Connect doesn’t modify your infrastructure.
If you have a 'standard' AD setup, EC should integrate very easily. Otherwise, the 2 days might come in handy :)
If you want to test before, download and install KerbMinder. If it works straight away, chances EC will work too.
To be honest, in my case, EC wasn't better than KerbMinder, and I lost the possibility to tweak it myself. But the EC team is great and you get great Apple support.
Posted on 02-24-2016 05:41 AM
Hi ftiff,
Have you tested how well it works for unbound machines?
How do your users like it?
Are there any features that you know Apple wants to add to the product?
Posted on 02-24-2016 05:59 AM
Hey @mlavine
Yes, we use it exclusively on unbound machines.
Our users barely notice it. To be honest, they don't care. They have single sign-on, that all they want to know.
Yes, I have quite a few features I'd like to add:
- remove the GUI, it's not needed and users don't like to have lots of icons in the menubar. It feels like windows
- push username and realm from a profile
- use AD login and password from the one entered in SetupAssistant. I hope this will come if it ever become native to OS X
- open a per-app VPN to get the kerberos ticket when outside of corporate network
But again, it works great.
Posted on 03-01-2016 01:42 PM
I work in government. Would this work with PIV/CAC enabled accounts? Can this support PIV/CAC logins to network shares, etc. How would that work with remote users? I can use via VPN.
This part is directly at Apple person that posted this. Please bring back PIV/CAC support in the OS natively. When it was dropped Macs in government were not that much. Nowadays, Macs are infiltrating at an exponential rate. Eliminate the 100% need for me to bind the Mac to AD and there will a whole lot more real fast. Yes, I have put feedback in on Apple page. I am just trying to get this heard wherever I can.
Posted on 04-12-2016 03:58 PM
Does this tool work only with AD domains or does it also work with OD ?
Posted on 04-19-2016 07:54 AM
Why not just use Centrify? We use it as we purchased it prior to Apple releasing this but you can manage it all through GPO's, SSO, etc. Havent looked at pricing between the two but almost everyone from a security perspective knows Centrify.
https://www.centrify.com/
https://www.centrify.com/products/identity-service/mac-management/
Posted on 04-19-2016 07:57 AM
So far as I remember there is a significant price difference, but I don't have all those numbers off hand!
Posted on 04-19-2016 08:43 AM
-ignore-
Posted on 05-12-2016 01:21 PM
@rkovelman Centrify is about $90/seat IIRC. How much does the Apple Enterprise Connect cost after the $5K integration? Maybe the cost of EC would make the difference for certain organizations.
Posted on 05-12-2016 01:23 PM
@bradtchapman Enterprise Connect is just the one-time professional services fee to configure it. It's also supported by Apple Care OS Support, so that's a plus too.
Posted on 05-12-2016 01:24 PM
@bradtchapman As far as I know you only pay once for Enterprise Connect and that is the initial $5500.
Posted on 05-12-2016 01:27 PM
You get what you pay for. I haven't seen it but FWIW people have given it bad reviews online. Still too new and missing too many functions.
Posted on 05-13-2016 01:10 PM
From the standpoint of EC is really 2 days of professional services with Apple and an App that would probably help in your environment, the cost is pretty low, IMHO. What functions are you looking for??
Posted on 05-13-2016 01:25 PM
@rkovelman bad reviews online? Where exactly are these reviews you're referring to? Given this isn't something sold on the MAS or other public channels, I'd love to see such "reviews". Especially since as you say, you "haven't seen it" Or is this the old "I read it somewhere on the internet so it must be true" meme?
Posted on 05-13-2016 01:29 PM
We have purchased EC and had Apple add the ability to sync the AD password with the local password as this was the real issue keeping us from using the product. We are still in the development phase but we plan to reengineer our whole password policy and account enforcement around this app. It doesn't do everything but it is simple, lightweight, inexpensive, and being actively developed.
Posted on 05-13-2016 02:12 PM
What i'd really like to see a Keychain remediation feature built-in to it, like ADPassmon...
Posted on 05-13-2016 02:14 PM
That would be nice, for sure. Until then it can fire off a script when a password change is made and you could do that now for the keychain items you want. They have an example script posted. We are using that script to post the new creds to our password sync took website.
Posted on 05-13-2016 03:31 PM
While it would be nice for the Apple Professional Services team to fix the Keychain issues, I don't think it's fair for them to do the job of a different internal Apple team..
Insert rant about how the the keychain issues should have been fixed years ago and that if somebody in Apple could write in "normal" english 3/4 of everyones tickets including Apples would disappear if the pop up sync window just said please enter last password. " Got to love that Apple ease of use"
C
Posted on 05-13-2016 04:07 PM
I couldn't agree more with @gachowski's comment above. Its utterly astounding that that dialog has not been revamped by now. Its the single most confusing dialog Apple has in their OS and bafflingly continues to have in there. I can only imagine how many complaints Apple has received over the years about this and they've yet to change it.
But, you can bet Apple will have designed some new system font for 10.12, or recreated all the apps icons or something, because, you know, that's actually what's important after all.
Posted on 05-19-2016 12:28 PM
I just sat through the Web Ex on this and it seems that it can be boiled down to a few things:
It doesn't necessarily seem like a game changer or a magic bullet, but a nice little in-between for the computer and the domain controller.
Anyone that has purchased this at their organization verify this? Is there a solid benefit in implementing this?
Posted on 05-19-2016 03:45 PM
@CorpTech EC does not directly sync local items with the AD password. What it can do is run a script after an AD password change. They have an example that prompts the user for access to the EC keychain item thus retrieving the password and from there you can script updates to keychain items and other things. All of the other items are correct.