About Enterprise Connect

rjlemmon
New Contributor II

Hi all,

This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.

Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:

Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.

It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.

Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.

There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.

You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.

I'll be following this thread, so please respond with any questions.

243 REPLIES 243

Kedgar
Contributor

@Chris_Hafner send a message to @rjlemmon

@scottb I have run into this issue with macs that are bound to AD... even with NoMad installed and configured. I think the secret to fixing password sync issues for FileVault 2 and KeyChain is to not bind your macs. This is something we are going to be looking at for my company... in addition to Enterprise Connect.

Chris_Hafner
Valued Contributor II

@Kedgar Agreed on all sides. If you can stop binding, do so! Also, I think you meant for @paulschatz to contact @rjlemmon ;-)

stevenjklein
Contributor II

@rjlemmon : You should post an update to your message at the top of this thread. It says, "Enterprise Connect is only available to USA based customers."

But I was in your webinar yesterday, and either you or one of your co-presenters mentioned that it's available in several countries now . (And am I right in remembering that it's now localized for some other languages?)

Oh, and I hope you've recovered from your cold!

scottb
Honored Contributor

Thanks much @Chris_Hafner and @Kedgar. Appreciate the feedback. I think it's settled out with EC and no more AD binding...

Chris_Hafner
Valued Contributor II

It's a beautiful thing! Now I just need to figure out the best way to manage user names "in my environment".

scottb
Honored Contributor

@Chris_Hafner this was provided as a way to get names. Not sure if that's what you meant by "manage user names" but here 'tis:

klist|grep Principal:|awk {'print $2'}|sed 's/@.*//'

"The easiest way to do this is to extract the user name out of the Kerberos ticket that EC gets." (using the above).
If this was already known to you, apologies. I have not tested it yet.

lashomb
Contributor II

Running EC in production since 10.11 and it has been reliable. Thank you @rjlemmon

macmanmk
Contributor

Any thoughts on the best way to identify whether users are logged into EC? Just because the app has been installed doesn't mean users have gone through the step of an initial sign in. Would be nice to have an extension attribute.

jason_d
New Contributor III

I was thinking about this today too @macmanmk we have a lot of people that have it installed but haven't logged in.

I haven't created it as an EA yet but something like this would show if it's running or not.

#!/bin/bash
/usr/bin/pgrep "Enterprise Connect"
if [ $? -eq 0 ]; then
    echo "<result>running</result>"
else
    echo "<result>not running</result>"
fi

ooshnoo
Valued Contributor

@macmanmk

We use a launch agent in /Library/LaunchAgents to start the app at login and keep it alive. So even if the user quits EC, it will relaunch and the can't stop it!

jason_d
New Contributor III

@ooshnoo I tried your approach and it keeps EC running, but what we're seeing is people just close down the login window without actually logging in. The launch agent keeps EC running in the background but doesn't reopen the login window until they reboot or log out.

Has anyone figured out a way to prevent the user from closing the window until they've logged in?

lgt28jr
New Contributor II

Curious to know if 1.6.1 (4) is the latest version of EC. Also has anyone encountered any issues with EC with the following:
- AD 2012 R2 Standard
- AD Schema version 69

Thanks in Advance

jason_d
New Contributor III

@lgt28jr I think 1.8 (4) is the latest version of EC and no issues here with AD schema 69.

lgt28jr
New Contributor II

@jason_d are you using EC? If so is 1.8(4) the version you are using? I was told I would get emails when EC was updated but haven't received any emails since April of a newer version being released. I will reach out to my Apple contact who did the onsite with us to see if they did release a newer version. Thanks

donmontalvo
Esteemed Contributor III

@rjlemmon So...Enterprise Connect (EC) and no AD Binding....and HR/Legal/Security phone call to lock out an AD account....go.

  1. If a user's AD account is locked out as per HR/Legal/Security, how does EC behave when the user returns from lunch, and during their lunch, their AD account was locked out?
  2. If a user moves to another Mac where they logged on before, and their AD account is locked out, will they be able to log in to the locally cached account (mobile account)?
  3. If a user knows he/she is locked out of their AD account, are they able to walk over to a computer they logged into before, unplug it from the network, and log in with their last cached password? Read: circumvent AD lockout.

We haven't gone down the EC road, figured I'd post here rather than wait for the next monthly EC web meeting, where the question might not get answered, or might lose context if follow up questions are not possible.

TIA,
Don

401af3f75c154e79807ab6869395c9a4

--
https://donmontalvo.com

jason_d
New Contributor III

@lgt28jr yes we are running 1.8.0(4) I would follow up with Apple. We got an email when it came out not that long ago.

walt
Contributor III

hi @rjlemmon , a couple of questions

  • Our business is based in the US, but have offices across the globe...will this still function for our international offices or does it depend on infrastructure set-up (how/what/etc)?

  • Do users have one or two passwords? For example if we only had a local user account and we supply them company credentials (email/shares/etc). what password is used to log into the Mac, unlock file vault, etc?

Thank you

iJake
Valued Contributor

@donmontalvo

1.) It alerts the users via Notification Center like any other alert.
2.) Yes
3.) Yes

EC takes no action other than an alert on an account being locked in AD.

iJake
Valued Contributor

@walt

1.) As long as it is AD then it should work. If there are multiple domains globally you might need to have different configurations for these different regions.

2.) They can have as many as two password but its up to you the admin and the user to reduce this to one. EC can have the user sync their AD password to the local account if you configure it. This can't be forced so up to your users to comply.

iJake
Valued Contributor

@macmanmk

If this file

$HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist

doesn't exist then Enterprise Connect has never been logged into. Key off of that but I'd actually take it a step further and even if the prefs exist verify that it is actually connecting.

defaults read $HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected

And you can easily convert that to epoch for easy comparison and see if they've check in in the last X days

timeStamp14dBack=$(date -v-14d -u +"%s")
dateLastConnecedEpoch=$(date -j -f "%Y-%M-%d %T" "$($HOMEFOLDER/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected | cut -d " " -f1,2)" "+%s")

if [[ $dateLastConnecedEpoch -lt $timeStamp14dBack ]]
then
echo "they have connected in the last two weeks. good user"
else
echo "they have not in a couple weeks. bad user."
fi

awilliams
New Contributor II

I am getting ready to rollout EC to my Macs within the organization. All of our Macs are joined to the domain and accounts are managed. Has anyone used managed accounts with EC. I already did my two day training and they suggested to create local accounts on each Macbook.

osxadmin
Contributor II

Hi, I posted this question last week, and I just notice this post today so I thought I should ask the same question here:

Apple Enterprise Connect - System Clock - Your Mac's date or time is incorrect.

I'm using Apple Enterprise Connect 1.7.1 I normally don't log out.
And when I log back in from "sleep mode" I'm getting this popup after I log in:
"System Clock - Your Mac's date or time is incorrect. Please correct this issue and try again."
time is set to "time.apple.com" and when I get the popup I see the time and date is correct.
I just click "ok" and on the "EC" icon I right click and select "Reconnect" and it connects fine.
426fce9ef69a447db700d1d3107f6a0e

any thoughts on how to resolve this?

thank you.

what I have is a "Smart Computer Groups" with a Criteria=OS - Verify Time Server, Operator=like, Value=Fail if it finds a "Fail" for the time it automatically applies a policy with a really basic command:

#!/bin/sh
systemsetup -setnetworktimeserver time.apple.com

Has anyone seen the same "issue" on EC version 1.8?

user schultza posted this:

Posted: 10/27/17 at 7:47 PM by schultza This might be related. Time on Macs has been allowed drift since ~2013. Apple is no longer using NTP directly from source, it's been changed so that time updates itself less frequently; as I understand it this was done to save power. I have a policy that runs that syncs the time once a day with our local NTP server. This might not be your issue, but I've seen strange time problems with machines coming out of sleep related to this. /usr/sbin/ntpdate -u serverurlhere Alternatively you can compile NTP from source if you want to.

pavanraju
New Contributor II
New Contributor II

@rjlemmon Thanks for the detailed info. Can we please have a demo of it?

john_bio
New Contributor III
Enterprise Connect is only available to USA based customers.

sigh

ftiff
Contributor

HI all,

Enterprise Connect, Apple Provisionning Utility and other engagements can now be purchased outside of USA.

Please check with your Apple Representative or send an email to :consultingservices at Apple.

noahdowd
Contributor

@rjlemmon I haven't dived deep into the EC 1.9.0 beta but I'm wondering if there's any plan to leverage EC or possibly built-in support for offline mobile account logins with SmartCards.
My company is planning a transition to full PIV SmartCard multi-factor authentication and I was pleased to discover fairly robust support for this in 10.13.3 (my Windows counterparts struggled with this mandate for months and I got a working demo up in one day). The only feature that doesn't exist is the ability to log in to AD-supplied mobile accounts off-network. I've heard that apps like NoMAD might be able to provide this ability but since we already have EC I figured I'd see if it was something that was coming or maybe that could be bashed together with EC and Ticket Viewer or something.
Thanks!

bizzaredm
Contributor

@macmanmk and @iJake

This is what I ended up with... The echos at the start were for debugging

Also @macmanmk I would check out https://www.jamf.com/jamf-nation/discussions/20817/enterprise-connect-login-item

#!/bin/bash

username=$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName)
ecdate=$(defaults read /Users/$username/Library/Preferences/com.apple.Enterprise-Connect.plist dateLastConnected | cut -d " " -f1,2)


timeStamp14dBack=$(date -v-14d -u +"%s")
dateLastConnecedEpoch=$(date -j -f "%Y-%m-%d%n %H:%M:%S" "$ecdate" "+%s")

echo "$dateLastConnecedEpoch"
echo "$timeStamp14dBack"

if [[ "$timeStamp14dBack" -lt "$dateLastConnecedEpoch" ]]
then
echo '<result>Within 2 Weeks</result>'
else
echo '<result>Over 2 Weeks</result>'
fi

Edit: both results were the same!!

jcompton
Contributor

You are over-thinking that EA. You don't need to do that logic. Just set the EA type to "date." Let the JSS do the logic for you.

Plus - dates take up alot less room in your database than strings, and are much more efficient overall.

jcompton
Contributor

So this is all you need.

This also should account for a user that has a non-standard home directory.

#!/bin/bash
IFS=$'
'

currentUser=$(stat -f %Su /dev/console)
currentUserHome=$(/usr/bin/dscl . -read /Users/$currentUser NFSHomeDirectory | sed -n 's|.* (/.*)|1|p')
ecdate=$(defaults read "$currentUserHome/Library/Preferences/com.apple.Enterprise-Connect.plist" dateLastConnected)

echo "<result>$ecdate</result>"

michaelsawilson
New Contributor

My environment has Enterprise Connect and Jamf. My understanding when we set up Enterprise Connect was that once you logged into Enterprise Connect it would change the user account password, but that doesn't seem to be the case.

jcompton
Contributor

@michaelsawilson - can you clarify "user account password" ? The unbound local account? The bound mobile account?

emmayche
New Contributor III

For those interested in Enterprise Connect, Apple is having a webinar tomorrow (10 April 2018) at 12:15 PM Eastern Daylight time (GMT -4).

You can register at this link.

The webinar is a technical presentation, live demo and Q&A with one of Apple's senior consulting engineers.

PeterG
Contributor II

Hey all...

I just read through nearly two years of comments to get an answer to my question... and I am still not clear.

Q; Does enterprise connect only work with local accounts or will it also work with mobile (AD) accounts?

analog_kid
Contributor

Hi PeterG,

It works with both local and domain accounts, including mobile. Certain Enterprise Connect features will only work with certain account types (such as password syncing). We're using it with regular AD and AD mobile accounts.

--Ben

easyedc
Valued Contributor II

I'll throw my 2¢ in also. We're exclusively domain (mobile) accounts (except for service account for jamf) and Enterprise Connect works fine for us. The only thing is we use a password manager application which EC can't leverage for password changes.

PeterG
Contributor II

Ah... so that is what i was looking for.

I want to do password synching but I have (AD) mobile accounts. not local.

Stephen_Perry
New Contributor III

Password syncing is not necessary when using mobile accounts, as Enterprise Connect only allows for a password change if the domain is accessible. Password syncing is an implied function when utilizing mobile accounts.

PeterG
Contributor II

So the password “countdown “ will still work? (because users never log out or restart).

Stephen_Perry
New Contributor III

@PeterG Yes, the password expiration notifications still apply. Upon actual expiration of the users password, the next time Enterprise Connect authenticates the user they will be forced to change their password (no logout or restart required).

kerouak
Valued Contributor

Is this available in the UK yet??

Can't be a$%&d looking through all the posts..

Ta