Posted on 11-06-2015 12:03 PM
Hi all,
This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.
Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:
Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.
It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.
Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.
There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.
You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.
I'll be following this thread, so please respond with any questions.
Posted on 04-13-2017 12:43 PM
@ice2921 - Just stumbled upon this, looking for updates to this exact issue. The short of it is no, Enterprise connect doesn't support AzureAD integration; at all. I was hoping to see functionality similar to Windows 10 where I could log in with Azure AD creds on the OS but alas, it's not there. I spoke to both MS and Apple about this and the onus is on Apple to develop the solution. From what I was told from Apple, this isn't even roadmap. To save you some time, I also tried falling back to LDAPS served from AzureAD and enterprise connect wouldn't even leverage that. It's unfortunate but hopefully things change.
Posted on 04-17-2017 08:38 AM
@rjlemmon We purchased Enterprise connect almost a year ago and I am wondering if there are any version updates to the App. The version we have now is 1.6.1 (4)
Posted on 04-17-2017 09:14 AM
@lgt28jr : Your should be reaching out to your Apple business rep for updates. ;-)
The current version is at least 1.6.4.
Posted on 04-17-2017 09:24 AM
@lgt28jr You should be receiving emails from the Apple Professional Services group when updates are available.
After we went through the required two-day onsite for the purchase we gave them our email addresses (actually a mailing list in case we ever need to change who the contacts are) and we have received emails for every version update since we purchased it, which is about a year ago for us as well.
Posted on 04-17-2017 10:42 AM
Thanks I thought we did the same. About 10 minutes after posting this I received an Email from Apple Professional Services with the latest update. How's that for service wow!!! I also gave them an alias to use so this has been resolved.
Posted on 05-01-2017 07:17 AM
Next EC demo Monday, May 15, 2017:
APS Enterprise Connect Demo 25
Monday, May 15, 2017
10:30 am | Central Daylight Time (Chicago, GMT-05:00) | 1 hr 30 min
http://tinyurl.com/ECDemo25
Posted on 05-02-2017 04:59 PM
Hi Everyone!
So I'm working at an enterprise company that deployed EC a few months ago. What we're noticing (especially for remote users) is that if their Mac has fallen off our AD domain, EC will log in but will not allow a domain password change. If we re-bind the Mac to the domain (connected via VPN, of course) EC will allow a domain password change.
Any ideas as to what might be causing this?
Thanks!
Posted on 05-02-2017 05:24 PM
This is the expected behavior of EC. The domain must be accessible to perform a password change.
Posted on 05-03-2017 01:25 PM
Right, but from the original poster:
"It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system."
Unless the "local account" is the key, we use AD accounts here.
Thanks!
Posted on 05-03-2017 02:29 PM
Directory "binding" is not required, however, the directory must be accessible and directory authentication available. Two different things here.
Posted on 05-03-2017 07:55 PM
Is there currently any way to hide the Enterprise Connect icon in the menu bar? Even with Bartender (https://www.macbartender.com/) in use, it remains persistent.
Posted on 05-04-2017 04:45 AM
@rjlemmon - in your initial post, you stated
It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.
But that was a couple of years ago. Is that still the case? Or is the recommendation by Apple, that when using EC, to not have your machines bound to the domain?
Posted on 05-11-2017 05:54 PM
We are using Apple Enterprise Connect at my place of employment. Let me just say this... it's a god-send!
It allows me to deploy DEP enabled Macs to my end-user community and still have those same Macs get bound to Active Directory and leverage kerberos authentication as well as password synchronization and password expiration notifications.
Here is my workflow (more or less) for those who are interested in my zero-touch deployment...
We are still working on automating the last few steps. My proposed automation goes a little something like this...
Anyway - Apple Enterprise Connect is awesome. It makes conception a wonder and child birth a pleasure!
Caine Hörr
A reboot a day keeps the admin away!
Posted on 05-16-2017 08:03 AM
@cainehorr I'm running on little sleep so bear with me but I'm not clear on how your process works at the beginning. How does the DEP enabled Mac let you log in with AD credentials if the Jamf agent isn't installed yet? At what point does Enterprise Connect get installed? I've never used it so I'm not familiar with the details of it although I caught part of a demo once.
Posted on 05-16-2017 11:07 AM
Your primary question: How does the DEP enabled Mac let you log in with AD credentials if the Jamf agent isn't installed yet?
1st - If you have JAMF configured to use DEP, then all your Macs and/or iOS devices will receive the JAMF client as a part of the DEP enrollment process.
2nd - My users DO NOT log into their Macs using Active Directory credentials - they log in with local user accounts.
3rd - Apple Enterprise Connect gets installed as part of the JAMF deployment process.
4th - Users connect to the network either locally or over VPN. Users then log into Apple Enterprise Connect using their Active Directory credentials. This is where the kerberos authentication takes place. Apple Enterprise Connect also synchronizes the user's local user account password with their Active Directory account password. The user's local Mac keychain is updated as a part of this process.
Hope this clarifies. ;-)
Caine Hörr
A reboot a day keeps the admin away!
Posted on 05-16-2017 11:57 AM
@cainehorr Thanks but that falls in line with what I already assumed. In reading the workflow you mentioned above I didn't read it the same way though which is why I asked. You mentioned the user logging in with AD credentials before the jamf agent was installed. Did I miss something there?
At any rate there's been some thought put into using it. The biggest issue I've been told that it might not be best for us is that it's not designed to be used with multi-user systems. Most users have their own system but there are a few used by multiple people.
Posted on 05-16-2017 12:12 PM
Ah - I see the discrepancy that is tripping you up...
Let me clarify...
When you deploy a DEP enabled device, the user must authenticate before the remainder of the initial Apple setup process will continue. This authentication process takes place either through JAMF's internal user directory or another directory service (such as LDAP); in my case, Active Directory.
DEP then calls home to Apple. Apple recognizes the devices as belonging to your company. Apple also knows what your MDM solution is. Apple calls home to your MDM. MDM confirms the username and password via your directory service. Once authenticated, your MDM tells Apple that all is well with the world. Apple reports back to the DEP enabled Mac and Bob's your uncle. It's essentially a cloud-based version of "Golden Triangle".
Here is where your missing link resides...
Once authenticated, the Apple setup process will continue and the user is prompted to create a local user account on the Mac... The username and password fields are already filled out using the credentials as submitted to DEP, but even though they "look" like your AD/LDAP credentials, they are actually just being applied to a local account.
Take note - the user can still change the local username and password at this point...
Once the user submits this info, the Apple Setup process creates the local account and the desktop rears its head.
Once Apple Enterprise Connect (AEC) is invoked, the user types in their network (LDAP, AD, etc.) username and password. AEC guarantees that the local account (regardless of username format) and the AD/LDAP account passwords are synchronized. And because AEC is now active and logged in on behalf of the network user, your Mac acquires a kerberos ticket granting ticket.
Hope this further clarifies...
So as you see, my workflow is sound... Until now, I hadn't broken down (in detail) the relationship between the Mac, Apple (DEP/APNS), and the MDM.
Caine Hörr
A reboot a day keeps the admin away!
Posted on 05-16-2017 12:16 PM
Posted on 05-16-2017 12:39 PM
@cainehorr Ah, ok...that's making more sense now and, again, falls in line with what I know. Your terminology stating they logged in might be more accurate to say authenticates with AD credentials. It also threw me because we don't have authentication enabled for DEP Macs here. I simply forgot about that feature.
Either way all is good...thanks for getting back to me. It would be good to hear from someone on the multiuser aspect. I received that information from an Apple engineer but he wouldn't go into more detail other than to say that EC might not be a good solution for us.
Posted on 06-16-2017 03:34 PM
Does EC require JAMF to configure for a single workstation?
Posted on 06-16-2017 04:38 PM
@fseaton Enterprise Connect is configured by Apple professional services in a 2 day visit.
For just one workstation I'd look into NoMAD
Posted on 06-16-2017 05:07 PM
I agree nomad is the way to go.
Posted on 06-16-2017 05:18 PM
Thanks for the quick replies. I guess I should have given more background.
We have multiple Macs, and our central IT is "purchasing" professional services from Apple to configure EC, so we will have access to EC. The question is still whether JAMF is required to configure it as we don't use JAMF to manage the few Macs we have in our area.
thanks again.
Posted on 06-16-2017 05:20 PM
Jamf shouldn't be requried to config EC. If anything it's configured by a Plist which you could drop or install on each machine.
Posted on 06-16-2017 05:23 PM
An MDM is not required to deploy or configure EC. EC may be configured manually or by way of a shell script. Use of an MDM (including Jamf PRO) simplifies the deployment and configuration.
Posted on 06-16-2017 05:25 PM
Thanks, again, for the quick responses. I was assuming that JAMF wasn't required, but someone someone on campus had told me they thought JAMF was required and I just couldn't believe that was the case.
Thanks!!
Posted on 07-03-2017 05:53 AM
Hello
Hoping for some assistance. We just implemented EC in to our environment with the help of an Apple engineer for two days and I am currently testing it with a small group of users. One of the improvement I will like to implement is mapping different network shares a user has access to by using their AD group memberships rather than user adding them in manually after EC is configured on their mac. We have an environment where some of our macs are joined to the domain and some are not.
Has anyone been able to map network shares using EC according to users AD group memberships on a non AD bound Mac?
Thanks
Posted on 07-10-2017 07:42 AM
Yes & Sorta.
Apple EC Support Enginner should continue working with you via Email/Webex/ect. To continue expanding your deployed EC capabilities.
Users can also add their OWN pre-mapped shares anytime they want.. unless you lock it out of their hands.
The other fun part is EC password changes work better than ADPassMon but still not 100%.. Somehow some way our users still manage to have stuff saved in their Keychain that we simply cannot fix. And also some times EC doesn't change the Users Keychain Password (Local User = AD User) this has to be resolved with a manual password reset to Keychain.
Posted on 07-11-2017 05:43 AM
@JSnell Thank you for your reply. Is it possible for you to share the Script thats not fully working for your environment? I am not getting much assistance from my EC Support Engineer if I can get some ideas from your script to get started it will be very helpful for me. Thanks
Posted on 07-28-2017 11:27 AM
How do I contact Apple Pro Services to start looking at EC? We don't purchase many macs, however, that is increasing as time goes on. The individuals I have contacts for at Apple have not got back to me since I e-mailed them. @rjlemmon, you still watching this thread?
Thanks!
Posted on 07-28-2017 11:37 AM
Hi @Kedgar I have sent this link to rick and another guy. hopefully they can help you. they are awesome people
Posted on 07-28-2017 11:59 AM
@Tigerhaven Thank you so much!
Posted on 07-28-2017 12:29 PM
My 2¢...
As an Enterprise Connect customer, I find that the engagement pays dividends that far outstrip the cost or time involved or the feature set of the Enterprise Connect app.
Through the engagement, we learned how and why Enterprise Connect works, as well as a deeper understanding of the macOS AD tools.
As Jamf customers, maybe think of it as an 'AD jumpstart' that comes with a free app.
Posted on 07-28-2017 06:39 PM
That is an excellent way to look at it.
As a former Apple Enterprise Connect subscriber, I would agree with your view point 100%!
Caine Hörr
A reboot a day keeps the admin away!
Posted on 07-30-2017 04:48 PM
Just sent you my email address via LinkedIn.
Posted on 08-04-2017 04:52 AM
Having completed engagement, we are now happily running Enterprise Connect within IT and are prepping for a full rollout. Considering how well this is currently working, I'd love to see this get built into the OS later!
Posted on 08-09-2017 12:45 PM
@Chris_Hafner - having to support a new client with this. Have you seen any issues with FV and password changes? I don't have a lot fo info yet, but they are trying to escrow personal FV keys into JSS and there's some mention of the passwords getting out of sync not unlike AD accounts if you change the PW on a website, etc.
Don't have a lot of info yet, and you likely don't either, but I have no hands-on with this yet...glad it seems to be working for you.
Posted on 08-10-2017 11:39 AM
What specifically are you hearing about? So far in my testing, FV accounts and recovery keys work just fine. Personal keys are being properly stored and are usable at least in my limited testing. I'll have to test on the bench and get back to you.
Posted on 08-14-2017 04:08 PM
Whom would I get in touch with at Apple to get more information about an engagement for EC? I have sent a few emails to consultingservices@apple.com, but I haven't received a reply. Thanks in advance.
Posted on 08-15-2017 06:24 AM
Grab your Apple Rep or contact Apple Professional Services. They can sort you out.