Posted on 11-06-2015 12:03 PM
This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.
Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:
Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.
It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.
Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.
There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.
You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.
I'll be following this thread, so please respond with any questions.
Posted on 05-20-2016 06:16 AM
Posted on 05-20-2016 06:43 AM
Posted on 05-20-2016 06:45 AM
@mm2270 Do some googling and you will come across it...If you ever want to find negative reviews on a product the internet is littered with it. Looking for a good one, not so much.
Posted on 05-20-2016 12:14 PM
We purchased EC and use it on all of our Domain bound Macs. Our users seem pretty happy with the tool as it syncs the Keychains with the AD password at time of password change with out having to logout and log back in. I also like the fact that if you are not on your corp network it will give you an alert saying to connect to corp network first before trying to change your password. It also mounts the network drives after the login has happen and the user gets control of the screen, so this doesn't tie up or slow down the login process, which I have seen when trying to map drives at login. Furthermore, it gives a nice pop up in the notification center letting users know their password is going to expire.
The only thing that we still have issues with is Macs falling off the domain rendering EC useless. So I wrote a long script that checks if the machine is bound to AD, if the AD keychain is present, and if the machine is actually still in AD. If any of the test fails. It launches my AD binding policy to rebind the machine to the network. I have this script run once a week on all machines.
Hope this helps out!!!
Posted on 05-20-2016 03:40 PM
Not sure if this will help, but you can look into the password interval for dsconfigad. From what I understand by default, unless you change it, the Mac will change its Machine AD Password every 14 days. You can change it to 0 (never changes) or to a longer interval. Something to consider.
dsconfigad -passinterval 0
I'm guessing if the password change fails it becomes unbound.
Posted on 05-24-2016 04:48 AM
So if I have read through all of these comments correctly, if password changes are done through a service external to the Mac, the Keychain still gets locked and I still have to walk my users through deleting their keychain and restarting to create a new one?
When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.
Posted on 05-24-2016 05:16 AM
When is Apple going to scrap the keychain? It's a festering pile with no redeeming qualities.
The Keychain concept is a valid (dated) consumer feature developed by a Consumer Electronics company.
As admins for Enterprise users, we will always be circling the consumer features trying to engineer solutions to bend them to fit our needs.
Posted on 05-24-2016 06:53 AM
It wont be easy to drop Keychain as everything is stored in there, including the Kerberos ticket and password. Keychain I would hope after 15 years or whatever is a hardened app, its just trying to figure out how to "mess" with it to do what you need it to do.
Posted on 05-24-2016 10:39 AM
@rjlemmon Can you give me a number to call? I seem to be getting bounced around at Apple inc.
Posted on 05-24-2016 10:46 AM
Posted on 05-24-2016 11:01 AM
I've called and emailed as well and have never been able to get anyone at Apple to contact me. Considering that we are a huge enterprise company - and we PAID for a Readiness Review 2 years ago (we received the report, but my requests to schedule the actual presentation were never returned) my management is not very happy with Apple. We keep getting reassigned to different reps and engineers and basically it is a fight just to allow Apple products in the environment. If Apple really wants to start supporting their enterprise customers, then they might want to actually start supporting their enterprise customers.
Posted on 05-24-2016 10:53 PM
Posted on 05-25-2016 03:40 AM
Posted on 05-26-2016 09:19 AM
@jason.bracy: I will send you an email directly. Sales team do get moved around as in every organization but the Apple PS team is still here to support you. Larry who performed the Review and Tracy M. are still available anytime you need help. Obviously Peter who responded is also on our team. Thanks. JD Mankovsky - Sr. Manager - APS
Posted on 05-26-2016 09:22 AM
Posted on 05-26-2016 11:15 AM
@pwb would it be possible to send more information about Enterprise Connect?
I've contacted the Business Team at the local Apple Store and let's say.... they had no idea.
Posted on 05-26-2016 11:20 AM
@chad.fox Please send me an email to lrc at apple.com and I will send you over more information.
Posted on 05-26-2016 12:47 PM
An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728
Posted on 05-31-2016 08:00 AM
I don't think I'll be able to watch much of this as it conflicts with another meeting I have scheduled.
It looks like it would be a fantastic solution to add to our environment, except for the price tag that's inexplicably on it.
Posted on 07-12-2016 11:04 AM
Apple Enterprise Connect Demo 13
Tuesday, July 19, 2016
12:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr 15 mins
After your request has been approved, you'll receive instructions for joining the meeting.
Posted on 07-15-2016 12:18 PM
Posted on 07-19-2016 12:36 PM
Posted on 07-19-2016 12:54 PM
Thanks! Any chance for a recording or another webinar? By strange demands on my time children I missed it.
Posted on 07-19-2016 12:56 PM
@dstranathan I wasn't able to make that demo today, can you share how you learn about such things? I'd like to participate in a future demo. Contact Apple Rep or is there a better way?
Posted on 07-19-2016 01:11 PM
I missed it too. Had to put out a couple fires (not involing Pokemon Go, I swear).
Ill ask my Apple rep about the next demo.
Posted on 07-19-2016 02:04 PM
I think if you signed up for the demo, you should get an invite to the next one... or at least I did : )
Posted on 09-02-2016 09:17 AM
Posted on 10-28-2016 01:31 PM
We purchased EC and have been playing around with the configs a bit, a couple of things we learned.
EC works better when changing AD pw's directly against a dc. We us a web portal for the users to login and initiate a pw change that eventually filters down to AD. We knew going into the purchase we couldn't use EC to change a pw directly, but it does pick up and alert the user when it detects the AD pw is different than the EC pw, and prompts for change.
Because we do not change the pw directly in EC, we miss out on it updating the keychain passwords, and I think even the FV2 pw. We are still trying to see how we can interject a script to run during that prompt for password update, but it as of now it appears the only scrip triggers are at network state change or password change.
Hopefully we'll have more time to finalize this in the next month or two, I'll update the findings as we go along.
@pwb , would it be ok to post/share the Enterprise Connect documentation for people to review?
Posted on 10-28-2016 01:41 PM
@dave I assume that portal exists because there are other directory systems than need passwords changed so the portal acts as the sync tool? We have a similar situation. I wonder, though, if you could do as I have set up that we change the password with EC but then use that trigger to run a script that posts the new password to our portal so we can sync the new AD password to the other systems.
Posted on 10-28-2016 01:50 PM
@iJake Correct, our peoplesoft/idm environment serves as the master and changes flow down to AD. I'd be interested in more details of how you're doing that for your env. Our portal has 2 factor auth in play, so it might be a whole new level of fun.
Oh, I forgot to mention that EC has us looking at switching from domain account logins to local again, with EC managing the pw sync to the local account. We've lived a nightmare of keychain issues when the AD pw is changed and users can't unlock/sync up their keychain properly. Also with so many wireless users, and our wifi requiring auth, which is not available at lockscreen, they were in a world of hurt if they changed their pw and couldn't wire into the network to login afterwards. Hoping the local account will alleviate some of those pain points.
Posted on 10-28-2016 01:57 PM
@dave Oh lord, two factor would be...fun? Is it just username and then the token for auth and then asks for the new password? Or does it need token, old password and then new password? Theoretically possible to prompt for that first factor and post it for them but not sure how worth it it would be. I would highly recommend using local accounts and having EC take the place of AD with password sync on.
As far as our portal, its just AD auth and once you're able to log in it will then trigger the sync. So, for me its just a simple http post. I have a loop that keeps trying the new AD creds against that form until it gets back a good result. It will bail if it tries too many times, though.
Posted on 11-02-2016 12:46 PM
The company I work for is looking to deploy EC in the near future to address pw management, kerberos/dfs issues.
We just rolled out Cisco ISE and I wanted to know if anyone could confirm that EC does not conflict/functions w/ Cisco ISE.
Thanks in advance -
Posted on 02-01-2017 08:26 AM
We incorporate EC on all our MACs here. Once a user changes their password, they are prompted for commserve login? The prompt only accepts his old password. Any ideas?
Posted on 02-01-2017 08:29 AM
Posted on 02-01-2017 09:03 AM
These are AD accounts. The accounts on the Macs are managed and mobile. Is there anyway to confirm EC changes all the necessary keychains?
Posted on 02-06-2017 12:45 PM
Posted on 02-07-2017 07:23 AM
Lots of questions on keychain cleanup after password change.
EC can is able to run a custom script (of your choosing) after a successful password change. Rick includes some sample code that this really cool guy named Jeff gave him. :)
It may not suit your environment exactly, but it can give you some ideas of what you can do.
EC ROCKS !
Posted on 02-07-2017 10:51 AM
@DA001KL I spoke to an Apple engineer:
""Can't see how. It's Mac to AD. ISE either works or doesn't. May need password change script via EC to keep keychain up to day for wifi if using PEAP 802.1X authentication.”
I also spoke with a senior network engineer and since ISE uses certs and draws from AD there should be no issue.
Lastly, EC has already been deployed in enterprise environments that also use Cisco ISE authentication.
Posted on 02-17-2017 01:46 PM
If you want to take it offline about ISE I can assist ands you questions about ISE integration. Are you doing the integration through the jSS?
Posted on 03-16-2017 09:58 AM
Does anyone know if this works with Azure AD Directory Services? Has anyone implemented this with Azure at all? It seems as though there is very little information on this solution. Thanks