About Enterprise Connect

Thank you, @dstranathan for notifying us about the demo today.

Thanks! Any chance for a recording or another webinar? By strange demands on my time children I missed it.

@dstranathan I wasn't able to make that demo today, can you share how you learn about such things? I'd like to participate in a future demo. Contact Apple Rep or is there a better way?

I missed it too. Had to put out a couple fires (not involing Pokemon Go, I swear).

Ill ask my Apple rep about the next demo.

I think if you signed up for the demo, you should get an invite to the next one... or at least I did : )

C

Hoping for another demo myself. Placeholder... @rjlemmon Thanks!

We purchased EC and have been playing around with the configs a bit, a couple of things we learned.

EC works better when changing AD pw's directly against a dc. We us a web portal for the users to login and initiate a pw change that eventually filters down to AD. We knew going into the purchase we couldn't use EC to change a pw directly, but it does pick up and alert the user when it detects the AD pw is different than the EC pw, and prompts for change.

Because we do not change the pw directly in EC, we miss out on it updating the keychain passwords, and I think even the FV2 pw. We are still trying to see how we can interject a script to run during that prompt for password update, but it as of now it appears the only scrip triggers are at network state change or password change.

Hopefully we'll have more time to finalize this in the next month or two, I'll update the findings as we go along.

@pwb , would it be ok to post/share the Enterprise Connect documentation for people to review?

@dave I assume that portal exists because there are other directory systems than need passwords changed so the portal acts as the sync tool? We have a similar situation. I wonder, though, if you could do as I have set up that we change the password with EC but then use that trigger to run a script that posts the new password to our portal so we can sync the new AD password to the other systems.

@iJake Correct, our peoplesoft/idm environment serves as the master and changes flow down to AD. I'd be interested in more details of how you're doing that for your env. Our portal has 2 factor auth in play, so it might be a whole new level of fun.

Oh, I forgot to mention that EC has us looking at switching from domain account logins to local again, with EC managing the pw sync to the local account. We've lived a nightmare of keychain issues when the AD pw is changed and users can't unlock/sync up their keychain properly. Also with so many wireless users, and our wifi requiring auth, which is not available at lockscreen, they were in a world of hurt if they changed their pw and couldn't wire into the network to login afterwards. Hoping the local account will alleviate some of those pain points.

@dave Oh lord, two factor would be...fun? Is it just username and then the token for auth and then asks for the new password? Or does it need token, old password and then new password? Theoretically possible to prompt for that first factor and post it for them but not sure how worth it it would be. I would highly recommend using local accounts and having EC take the place of AD with password sync on.

As far as our portal, its just AD auth and once you're able to log in it will then trigger the sync. So, for me its just a simple http post. I have a loop that keeps trying the new AD creds against that form until it gets back a good result. It will bail if it tries too many times, though.

Hello!

The company I work for is looking to deploy EC in the near future to address pw management, kerberos/dfs issues.

We just rolled out Cisco ISE and I wanted to know if anyone could confirm that EC does not conflict/functions w/ Cisco ISE.

Thanks in advance -

Hello,

We incorporate EC on all our MACs here. Once a user changes their password, they are prompted for commserve login? The prompt only accepts his old password. Any ideas?

@bbracey are you using AD accounts? Or are they local accounts?

These are AD accounts. The accounts on the Macs are managed and mobile. Is there anyway to confirm EC changes all the necessary keychains?

@Ease Did you find your answer as I am in the same boat

Lots of questions on keychain cleanup after password change.

EC can is able to run a custom script (of your choosing) after a successful password change. Rick includes some sample code that this really cool guy named Jeff gave him. :)

It may not suit your environment exactly, but it can give you some ideas of what you can do.

EC ROCKS !

@DA001KL I spoke to an Apple engineer:
""Can't see how. It's Mac to AD. ISE either works or doesn't. May need password change script via EC to keep keychain up to day for wifi if using PEAP 802.1X authentication.”

I also spoke with a senior network engineer and since ISE uses certs and draws from AD there should be no issue.

Lastly, EC has already been deployed in enterprise environments that also use Cisco ISE authentication.

Hi @Ease

If you want to take it offline about ISE I can assist ands you questions about ISE integration. Are you doing the integration through the jSS?

Does anyone know if this works with Azure AD Directory Services? Has anyone implemented this with Azure at all? It seems as though there is very little information on this solution. Thanks

@ice2921 - Just stumbled upon this, looking for updates to this exact issue. The short of it is no, Enterprise connect doesn't support AzureAD integration; at all. I was hoping to see functionality similar to Windows 10 where I could log in with Azure AD creds on the OS but alas, it's not there. I spoke to both MS and Apple about this and the onus is on Apple to develop the solution. From what I was told from Apple, this isn't even roadmap. To save you some time, I also tried falling back to LDAPS served from AzureAD and enterprise connect wouldn't even leverage that. It's unfortunate but hopefully things change.

@rjlemmon We purchased Enterprise connect almost a year ago and I am wondering if there are any version updates to the App. The version we have now is 1.6.1 (4)

@lgt28jr : Your should be reaching out to your Apple business rep for updates. ;-)

The current version is at least 1.6.4.

@lgt28jr You should be receiving emails from the Apple Professional Services group when updates are available.

After we went through the required two-day onsite for the purchase we gave them our email addresses (actually a mailing list in case we ever need to change who the contacts are) and we have received emails for every version update since we purchased it, which is about a year ago for us as well.

Thanks I thought we did the same. About 10 minutes after posting this I received an Email from Apple Professional Services with the latest update. How's that for service wow!!! I also gave them an alias to use so this has been resolved.

Next EC demo Monday, May 15, 2017:

APS Enterprise Connect Demo 25
Monday, May 15, 2017
10:30 am | Central Daylight Time (Chicago, GMT-05:00) | 1 hr 30 min

http://tinyurl.com/ECDemo25