About Enterprise Connect

rjlemmon
New Contributor II

Hi all,

This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.

Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:

Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.

It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.

Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.

There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.

You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.

I'll be following this thread, so please respond with any questions.

243 REPLIES 243

CorpTech
New Contributor III

@iJake is that scripting process and creation where having the engineer onsite comes in?

iJake
Valued Contributor

@CorpTech Yes, they would definitely help craft those with you.

rkovelman
New Contributor III

@mm2270 Do some googling and you will come across it...If you ever want to find negative reviews on a product the internet is littered with it. Looking for a good one, not so much.

sgoetz
Contributor

We purchased EC and use it on all of our Domain bound Macs. Our users seem pretty happy with the tool as it syncs the Keychains with the AD password at time of password change with out having to logout and log back in. I also like the fact that if you are not on your corp network it will give you an alert saying to connect to corp network first before trying to change your password. It also mounts the network drives after the login has happen and the user gets control of the screen, so this doesn't tie up or slow down the login process, which I have seen when trying to map drives at login. Furthermore, it gives a nice pop up in the notification center letting users know their password is going to expire.

The only thing that we still have issues with is Macs falling off the domain rendering EC useless. So I wrote a long script that checks if the machine is bound to AD, if the AD keychain is present, and if the machine is actually still in AD. If any of the test fails. It launches my AD binding policy to rebind the machine to the network. I have this script run once a week on all machines.

Hope this helps out!!!

Shawn Goetz

russeller
Contributor III

Hey @sgoetz

Not sure if this will help, but you can look into the password interval for dsconfigad. From what I understand by default, unless you change it, the Mac will change its Machine AD Password every 14 days. You can change it to 0 (never changes) or to a longer interval. Something to consider.

dsconfigad -passinterval 0

I'm guessing if the password change fails it becomes unbound.

barnesaw
Contributor III

So if I have read through all of these comments correctly, if password changes are done through a service external to the Mac, the Keychain still gets locked and I still have to walk my users through deleting their keychain and restarting to create a new one?

When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

dpertschi
Valued Contributor
When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.

The Keychain concept is a valid (dated) consumer feature developed by a Consumer Electronics company.

As admins for Enterprise users, we will always be circling the consumer features trying to engineer solutions to bend them to fit our needs.

rkovelman
New Contributor III

It wont be easy to drop Keychain as everything is stored in there, including the Kerberos ticket and password. Keychain I would hope after 15 years or whatever is a hardened app, its just trying to figure out how to "mess" with it to do what you need it to do.

Mhomar
Contributor

@rjlemmon Can you give me a number to call? I seem to be getting bounced around at Apple inc.

Can anyone?

easyedc
Valued Contributor II

@Mhomar Call your Apple sales rep, they should be able to get you squared away.

jason_bracy
Contributor III

I've called and emailed as well and have never been able to get anyone at Apple to contact me. Considering that we are a huge enterprise company - and we PAID for a Readiness Review 2 years ago (we received the report, but my requests to schedule the actual presentation were never returned) my management is not very happy with Apple. We keep getting reassigned to different reps and engineers and basically it is a fight just to allow Apple products in the environment. If Apple really wants to start supporting their enterprise customers, then they might want to actually start supporting their enterprise customers.

chrisbju
New Contributor III

@pwb is the guy to contact.

pwb
New Contributor

Hey @jason.bracy. Sorry to hear that. Shoot me an email. pwb at apple.

jdman
New Contributor

@jason.bracy: I will send you an email directly. Sales team do get moved around as in every organization but the Apple PS team is still here to support you. Larry who performed the Review and Tracy M. are still available anytime you need help. Obviously Peter who responded is also on our team. Thanks. JD Mankovsky - Sr. Manager - APS

jason_bracy
Contributor III

Thanks @jdman

chad_fox
Contributor II

@pwb would it be possible to send more information about Enterprise Connect?

I've contacted the Business Team at the local Apple Store and let's say.... they had no idea.

lcutrell
New Contributor II

@chad.fox Please send me an email to lrc at apple.com and I will send you over more information.

Thanks
Larry

ericbenfer
Contributor II

An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr

Register
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728

Emmert
Valued Contributor

I don't think I'll be able to watch much of this as it conflicts with another meeting I have scheduled.

It looks like it would be a fantastic solution to add to our environment, except for the price tag that's inexplicably on it.

dstranathan
Valued Contributor II

Apple Enterprise Connect Demo 13
Tuesday, July 19, 2016
12:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr 15 mins

Register

After your request has been approved, you'll receive instructions for joining the meeting.

andrew-taylor
New Contributor
New Contributor

@lcutrell Please send more info about Enterprise Connect.

bradtchapman
Valued Contributor

Thank you, @dstranathan for notifying us about the demo today.

Chris_Hafner
Valued Contributor II

Thanks! Any chance for a recording or another webinar? By strange demands on my time children I missed it.

Josh_Smith
Contributor III

@dstranathan I wasn't able to make that demo today, can you share how you learn about such things? I'd like to participate in a future demo. Contact Apple Rep or is there a better way?

dstranathan
Valued Contributor II

I missed it too. Had to put out a couple fires (not involing Pokemon Go, I swear).

Ill ask my Apple rep about the next demo.

gachowski
Valued Contributor II

I think if you signed up for the demo, you should get an invite to the next one... or at least I did : )

C

scottb
Valued Contributor III

Hoping for another demo myself. Placeholder... @rjlemmon Thanks!

dave
New Contributor II

We purchased EC and have been playing around with the configs a bit, a couple of things we learned.

EC works better when changing AD pw's directly against a dc. We us a web portal for the users to login and initiate a pw change that eventually filters down to AD. We knew going into the purchase we couldn't use EC to change a pw directly, but it does pick up and alert the user when it detects the AD pw is different than the EC pw, and prompts for change.

Because we do not change the pw directly in EC, we miss out on it updating the keychain passwords, and I think even the FV2 pw. We are still trying to see how we can interject a script to run during that prompt for password update, but it as of now it appears the only scrip triggers are at network state change or password change.

Hopefully we'll have more time to finalize this in the next month or two, I'll update the findings as we go along.

@pwb , would it be ok to post/share the Enterprise Connect documentation for people to review?

iJake
Valued Contributor

@dave I assume that portal exists because there are other directory systems than need passwords changed so the portal acts as the sync tool? We have a similar situation. I wonder, though, if you could do as I have set up that we change the password with EC but then use that trigger to run a script that posts the new password to our portal so we can sync the new AD password to the other systems.

dave
New Contributor II

@iJake Correct, our peoplesoft/idm environment serves as the master and changes flow down to AD. I'd be interested in more details of how you're doing that for your env. Our portal has 2 factor auth in play, so it might be a whole new level of fun.

Oh, I forgot to mention that EC has us looking at switching from domain account logins to local again, with EC managing the pw sync to the local account. We've lived a nightmare of keychain issues when the AD pw is changed and users can't unlock/sync up their keychain properly. Also with so many wireless users, and our wifi requiring auth, which is not available at lockscreen, they were in a world of hurt if they changed their pw and couldn't wire into the network to login afterwards. Hoping the local account will alleviate some of those pain points.

iJake
Valued Contributor

@dave Oh lord, two factor would be...fun? Is it just username and then the token for auth and then asks for the new password? Or does it need token, old password and then new password? Theoretically possible to prompt for that first factor and post it for them but not sure how worth it it would be. I would highly recommend using local accounts and having EC take the place of AD with password sync on.

As far as our portal, its just AD auth and once you're able to log in it will then trigger the sync. So, for me its just a simple http post. I have a loop that keeps trying the new AD creds against that form until it gets back a good result. It will bail if it tries too many times, though.

Ease
New Contributor

Hello!

The company I work for is looking to deploy EC in the near future to address pw management, kerberos/dfs issues.

We just rolled out Cisco ISE and I wanted to know if anyone could confirm that EC does not conflict/functions w/ Cisco ISE.

Thanks in advance -

bbracey
New Contributor III

Hello,

We incorporate EC on all our MACs here. Once a user changes their password, they are prompted for commserve login? The prompt only accepts his old password. Any ideas?

easyedc
Valued Contributor II

@bbracey are you using AD accounts? Or are they local accounts?

bbracey
New Contributor III

These are AD accounts. The accounts on the Macs are managed and mobile. Is there anyway to confirm EC changes all the necessary keychains?

DA001KL
New Contributor III

@Ease Did you find your answer as I am in the same boat

jcompton
Contributor

Lots of questions on keychain cleanup after password change.

EC can is able to run a custom script (of your choosing) after a successful password change. Rick includes some sample code that this really cool guy named Jeff gave him. 🙂

It may not suit your environment exactly, but it can give you some ideas of what you can do.

EC ROCKS !

Ease
New Contributor

@DA001KL I spoke to an Apple engineer:
""Can't see how. It's Mac to AD. ISE either works or doesn't. May need password change script via EC to keep keychain up to day for wifi if using PEAP 802.1X authentication.”

I also spoke with a senior network engineer and since ISE uses certs and draws from AD there should be no issue.

Lastly, EC has already been deployed in enterprise environments that also use Cisco ISE authentication.

jrserapio
Contributor

Hi @Ease

If you want to take it offline about ISE I can assist ands you questions about ISE integration. Are you doing the integration through the jSS?

ice2921
New Contributor

Does anyone know if this works with Azure AD Directory Services? Has anyone implemented this with Azure at all? It seems as though there is very little information on this solution. Thanks