This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.
Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:
Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.
It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.
Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.
There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.
You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.
I'll be following this thread, so please respond with any questions.
We purchased EC and use it on all of our Domain bound Macs. Our users seem pretty happy with the tool as it syncs the Keychains with the AD password at time of password change with out having to logout and log back in. I also like the fact that if you are not on your corp network it will give you an alert saying to connect to corp network first before trying to change your password. It also mounts the network drives after the login has happen and the user gets control of the screen, so this doesn't tie up or slow down the login process, which I have seen when trying to map drives at login. Furthermore, it gives a nice pop up in the notification center letting users know their password is going to expire.
The only thing that we still have issues with is Macs falling off the domain rendering EC useless. So I wrote a long script that checks if the machine is bound to AD, if the AD keychain is present, and if the machine is actually still in AD. If any of the test fails. It launches my AD binding policy to rebind the machine to the network. I have this script run once a week on all machines.
Hope this helps out!!!
Not sure if this will help, but you can look into the password interval for dsconfigad. From what I understand by default, unless you change it, the Mac will change its Machine AD Password every 14 days. You can change it to 0 (never changes) or to a longer interval. Something to consider.
dsconfigad -passinterval 0
I'm guessing if the password change fails it becomes unbound.
So if I have read through all of these comments correctly, if password changes are done through a service external to the Mac, the Keychain still gets locked and I still have to walk my users through deleting their keychain and restarting to create a new one?
When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.
When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.
The Keychain concept is a valid (dated) consumer feature developed by a Consumer Electronics company.
As admins for Enterprise users, we will always be circling the consumer features trying to engineer solutions to bend them to fit our needs.
It wont be easy to drop Keychain as everything is stored in there, including the Kerberos ticket and password. Keychain I would hope after 15 years or whatever is a hardened app, its just trying to figure out how to "mess" with it to do what you need it to do.
I've called and emailed as well and have never been able to get anyone at Apple to contact me. Considering that we are a huge enterprise company - and we PAID for a Readiness Review 2 years ago (we received the report, but my requests to schedule the actual presentation were never returned) my management is not very happy with Apple. We keep getting reassigned to different reps and engineers and basically it is a fight just to allow Apple products in the environment. If Apple really wants to start supporting their enterprise customers, then they might want to actually start supporting their enterprise customers.
@jason.bracy: I will send you an email directly. Sales team do get moved around as in every organization but the Apple PS team is still here to support you. Larry who performed the Review and Tracy M. are still available anytime you need help. Obviously Peter who responded is also on our team. Thanks. JD Mankovsky - Sr. Manager - APS
An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728
I don't think I'll be able to watch much of this as it conflicts with another meeting I have scheduled.
It looks like it would be a fantastic solution to add to our environment, except for the price tag that's inexplicably on it.
We purchased EC and have been playing around with the configs a bit, a couple of things we learned.
EC works better when changing AD pw's directly against a dc. We us a web portal for the users to login and initiate a pw change that eventually filters down to AD. We knew going into the purchase we couldn't use EC to change a pw directly, but it does pick up and alert the user when it detects the AD pw is different than the EC pw, and prompts for change.
Because we do not change the pw directly in EC, we miss out on it updating the keychain passwords, and I think even the FV2 pw. We are still trying to see how we can interject a script to run during that prompt for password update, but it as of now it appears the only scrip triggers are at network state change or password change.
Hopefully we'll have more time to finalize this in the next month or two, I'll update the findings as we go along.
@pwb , would it be ok to post/share the Enterprise Connect documentation for people to review?
@dave I assume that portal exists because there are other directory systems than need passwords changed so the portal acts as the sync tool? We have a similar situation. I wonder, though, if you could do as I have set up that we change the password with EC but then use that trigger to run a script that posts the new password to our portal so we can sync the new AD password to the other systems.
@iJake Correct, our peoplesoft/idm environment serves as the master and changes flow down to AD. I'd be interested in more details of how you're doing that for your env. Our portal has 2 factor auth in play, so it might be a whole new level of fun.
Oh, I forgot to mention that EC has us looking at switching from domain account logins to local again, with EC managing the pw sync to the local account. We've lived a nightmare of keychain issues when the AD pw is changed and users can't unlock/sync up their keychain properly. Also with so many wireless users, and our wifi requiring auth, which is not available at lockscreen, they were in a world of hurt if they changed their pw and couldn't wire into the network to login afterwards. Hoping the local account will alleviate some of those pain points.
@dave Oh lord, two factor would be...fun? Is it just username and then the token for auth and then asks for the new password? Or does it need token, old password and then new password? Theoretically possible to prompt for that first factor and post it for them but not sure how worth it it would be. I would highly recommend using local accounts and having EC take the place of AD with password sync on.
As far as our portal, its just AD auth and once you're able to log in it will then trigger the sync. So, for me its just a simple http post. I have a loop that keeps trying the new AD creds against that form until it gets back a good result. It will bail if it tries too many times, though.
The company I work for is looking to deploy EC in the near future to address pw management, kerberos/dfs issues.
We just rolled out Cisco ISE and I wanted to know if anyone could confirm that EC does not conflict/functions w/ Cisco ISE.
Thanks in advance -
Lots of questions on keychain cleanup after password change.
EC can is able to run a custom script (of your choosing) after a successful password change. Rick includes some sample code that this really cool guy named Jeff gave him. :)
It may not suit your environment exactly, but it can give you some ideas of what you can do.
EC ROCKS !
@DA001KL I spoke to an Apple engineer:
""Can't see how. It's Mac to AD. ISE either works or doesn't. May need password change script via EC to keep keychain up to day for wifi if using PEAP 802.1X authentication.”
I also spoke with a senior network engineer and since ISE uses certs and draws from AD there should be no issue.
Lastly, EC has already been deployed in enterprise environments that also use Cisco ISE authentication.