Jamf Nation Community

@Kedgar Agreed on all sides. If you can stop binding, do so! Also, I think you meant for @paulschatz to contact @rjlemmon ;-)

@rjlemmon : You should post an update to your message at the top of this thread. It says, "Enterprise Connect is only available to USA based customers."

But I was in your webinar yesterday, and either you or one of your co-presenters mentioned that it's available in several countries now . (And am I right in remembering that it's now localized for some other languages?)

Oh, and I hope you've recovered from your cold!

Thanks much @Chris_Hafner and @Kedgar. Appreciate the feedback. I think it's settled out with EC and no more AD binding...

It's a beautiful thing! Now I just need to figure out the best way to manage user names "in my environment".

@Chris_Hafner this was provided as a way to get names. Not sure if that's what you meant by "manage user names" but here 'tis:

klist|grep Principal:|awk {'print $2'}|sed 's/@.*//'

"The easiest way to do this is to extract the user name out of the Kerberos ticket that EC gets." (using the above).
If this was already known to you, apologies. I have not tested it yet.

Running EC in production since 10.11 and it has been reliable. Thank you @rjlemmon

Any thoughts on the best way to identify whether users are logged into EC? Just because the app has been installed doesn't mean users have gone through the step of an initial sign in. Would be nice to have an extension attribute.

I was thinking about this today too @macmanmk we have a lot of people that have it installed but haven't logged in.

I haven't created it as an EA yet but something like this would show if it's running or not.

#!/bin/bash
/usr/bin/pgrep "Enterprise Connect"
if [ $? -eq 0 ]; then
    echo "<result>running</result>"
else
    echo "<result>not running</result>"
fi

@macmanmk

We use a launch agent in /Library/LaunchAgents to start the app at login and keep it alive. So even if the user quits EC, it will relaunch and the can't stop it!

@ooshnoo I tried your approach and it keeps EC running, but what we're seeing is people just close down the login window without actually logging in. The launch agent keeps EC running in the background but doesn't reopen the login window until they reboot or log out.

Has anyone figured out a way to prevent the user from closing the window until they've logged in?

Curious to know if 1.6.1 (4) is the latest version of EC. Also has anyone encountered any issues with EC with the following:
- AD 2012 R2 Standard
- AD Schema version 69

Thanks in Advance

@lgt28jr I think 1.8 (4) is the latest version of EC and no issues here with AD schema 69.

@jason_d are you using EC? If so is 1.8(4) the version you are using? I was told I would get emails when EC was updated but haven't received any emails since April of a newer version being released. I will reach out to my Apple contact who did the onsite with us to see if they did release a newer version. Thanks

@rjlemmon So...Enterprise Connect (EC) and no AD Binding....and HR/Legal/Security phone call to lock out an AD account....go.

1. If a user's AD account is locked out as per HR/Legal/Security, how does EC behave when the user returns from lunch, and during their lunch, their AD account was locked out?
2. If a user moves to another Mac where they logged on before, and their AD account is locked out, will they be able to log in to the locally cached account (mobile account)?
3. If a user knows he/she is locked out of their AD account, are they able to walk over to a computer they logged into before, unplug it from the network, and log in with their last cached password? Read: circumvent AD lockout.

We haven't gone down the EC road, figured I'd post here rather than wait for the next monthly EC web meeting, where the question might not get answered, or might lose context if follow up questions are not possible.

TIA,
Don

@lgt28jr yes we are running 1.8.0(4) I would follow up with Apple. We got an email when it came out not that long ago.

hi @rjlemmon , a couple of questions

• Our business is based in the US, but have offices across the globe...will this still function for our international offices or does it depend on infrastructure set-up (how/what/etc)?

• Do users have one or two passwords? For example if we only had a local user account and we supply them company credentials (email/shares/etc). what password is used to log into the Mac, unlock file vault, etc?

Thank you

@donmontalvo

1.) It alerts the users via Notification Center like any other alert.
2.) Yes
3.) Yes

EC takes no action other than an alert on an account being locked in AD.

@walt

1.) As long as it is AD then it should work. If there are multiple domains globally you might need to have different configurations for these different regions.

2.) They can have as many as two password but its up to you the admin and the user to reduce this to one. EC can have the user sync their AD password to the local account if you configure it. This can't be forced so up to your users to comply.

@macmanmk

If this file

$HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist

doesn't exist then Enterprise Connect has never been logged into. Key off of that but I'd actually take it a step further and even if the prefs exist verify that it is actually connecting.

defaults read $HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected

And you can easily convert that to epoch for easy comparison and see if they've check in in the last X days

timeStamp14dBack=$(date -v-14d -u +"%s")
dateLastConnecedEpoch=$(date -j -f "%Y-%M-%d %T" "$($HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected | cut -d " " -f1,2)" "+%s")

if [[ $dateLastConnecedEpoch -lt $timeStamp14dBack ]]
then
echo "they have connected in the last two weeks. good user"
else
echo "they have not in a couple weeks. bad user."
fi

I am getting ready to rollout EC to my Macs within the organization. All of our Macs are joined to the domain and accounts are managed. Has anyone used managed accounts with EC. I already did my two day training and they suggested to create local accounts on each Macbook.

Hi, I posted this question last week, and I just notice this post today so I thought I should ask the same question here:

Apple Enterprise Connect - System Clock - Your Mac's date or time is incorrect.

I'm using Apple Enterprise Connect 1.7.1 I normally don't log out.
And when I log back in from "sleep mode" I'm getting this popup after I log in:
"System Clock - Your Mac's date or time is incorrect. Please correct this issue and try again."
time is set to "time.apple.com" and when I get the popup I see the time and date is correct.
I just click "ok" and on the "EC" icon I right click and select "Reconnect" and it connects fine.

any thoughts on how to resolve this?

thank you.

what I have is a "Smart Computer Groups" with a Criteria=OS - Verify Time Server, Operator=like, Value=Fail if it finds a "Fail" for the time it automatically applies a policy with a really basic command:

#!/bin/sh
systemsetup -setnetworktimeserver time.apple.com

Has anyone seen the same "issue" on EC version 1.8?

user schultza posted this:

Posted: 10/27/17 at 7:47 PM by schultza This might be related. Time on Macs has been allowed drift since ~2013. Apple is no longer using NTP directly from source, it's been changed so that time updates itself less frequently; as I understand it this was done to save power. I have a policy that runs that syncs the time once a day with our local NTP server. This might not be your issue, but I've seen strange time problems with machines coming out of sleep related to this. /usr/sbin/ntpdate -u serverurlhere Alternatively you can compile NTP from source if you want to.

@rjlemmon Thanks for the detailed info. Can we please have a demo of it?

Enterprise Connect is only available to USA based customers.

sigh

HI all,

Enterprise Connect, Apple Provisionning Utility and other engagements can now be purchased outside of USA.

Please check with your Apple Representative or send an email to :consultingservices at Apple.

@rjlemmon I haven't dived deep into the EC 1.9.0 beta but I'm wondering if there's any plan to leverage EC or possibly built-in support for offline mobile account logins with SmartCards.
My company is planning a transition to full PIV SmartCard multi-factor authentication and I was pleased to discover fairly robust support for this in 10.13.3 (my Windows counterparts struggled with this mandate for months and I got a working demo up in one day). The only feature that doesn't exist is the ability to log in to AD-supplied mobile accounts off-network. I've heard that apps like NoMAD might be able to provide this ability but since we already have EC I figured I'd see if it was something that was coming or maybe that could be bashed together with EC and Ticket Viewer or something.
Thanks!

@macmanmk and @iJake

This is what I ended up with... The echos at the start were for debugging

Also @macmanmk I would check out https://www.jamf.com/jamf-nation/discussions/20817/enterprise-connect-login-item

#!/bin/bash

username=$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName)
ecdate=$(defaults read /Users/$username/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected | cut -d " " -f1,2)


timeStamp14dBack=$(date -v-14d -u +"%s")
dateLastConnecedEpoch=$(date -j -f "%Y-%m-%d%n %H:%M:%S" "$ecdate" "+%s")

echo "$dateLastConnecedEpoch"
echo "$timeStamp14dBack"

if [[ "$timeStamp14dBack" -lt "$dateLastConnecedEpoch" ]]
then
echo '<result>Within 2 Weeks</result>'
else
echo '<result>Over 2 Weeks</result>'
fi

Edit: both results were the same!!

You are over-thinking that EA. You don't need to do that logic. Just set the EA type to "date." Let the JSS do the logic for you.

Plus - dates take up alot less room in your database than strings, and are much more efficient overall.

So this is all you need.

This also should account for a user that has a non-standard home directory.

#!/bin/bash
IFS=$'
'

currentUser=$(stat -f %Su /dev/console)
currentUserHome=$(/usr/bin/dscl . -read /Users/$currentUser NFSHomeDirectory | sed -n 's|.* (/.*)|1|p')
ecdate=$(defaults read "$currentUserHome/Library/Preferences/com.apple.Enterprise-Connect.plist" dateLastConnected)

echo "<result>$ecdate</result>"

My environment has Enterprise Connect and Jamf. My understanding when we set up Enterprise Connect was that once you logged into Enterprise Connect it would change the user account password, but that doesn't seem to be the case.

@michaelsawilson - can you clarify "user account password" ? The unbound local account? The bound mobile account?

For those interested in Enterprise Connect, Apple is having a webinar tomorrow (10 April 2018) at 12:15 PM Eastern Daylight time (GMT -4).

You can register at this link.

The webinar is a technical presentation, live demo and Q&A with one of Apple's senior consulting engineers.

Hey all...

I just read through nearly two years of comments to get an answer to my question... and I am still not clear.

Q; Does enterprise connect only work with local accounts or will it also work with mobile (AD) accounts?

Hi PeterG,

It works with both local and domain accounts, including mobile. Certain Enterprise Connect features will only work with certain account types (such as password syncing). We're using it with regular AD and AD mobile accounts.

--Ben

I'll throw my 2¢ in also. We're exclusively domain (mobile) accounts (except for service account for jamf) and Enterprise Connect works fine for us. The only thing is we use a password manager application which EC can't leverage for password changes.

Ah... so that is what i was looking for.

I want to do password synching but I have (AD) mobile accounts. not local.

Password syncing is not necessary when using mobile accounts, as Enterprise Connect only allows for a password change if the domain is accessible. Password syncing is an implied function when utilizing mobile accounts.

So the password “countdown “ will still work? (because users never log out or restart).

@PeterG Yes, the password expiration notifications still apply. Upon actual expiration of the users password, the next time Enterprise Connect authenticates the user they will be forced to change their password (no logout or restart required).

Is this available in the UK yet??

Can't be a$%&d looking through all the posts..

Ta