About Enterprise Connect

@rjlemmon Does it support logging onto multiple trusted domains in a Forest by chance?

Matt

Does High Sierra natively support Smart Card authentication in a AD environment? Ie without Centrify/other 3rd party software?

It does! Check out man SmartCardServices and this link: https://support.apple.com/en-us/HT208372

Hi everyone, Amaris Company is able to deliver The Apple Enterprise Connect licence for EMEA.
You can contact me to get more information about it.
Sincerely.

@rickwhois we are using 1.9.1 and have Configuration Profiles scoped to LDAP groups to map out department shares.

Computers are (currently) bound to Active Directory, users never get prompted for credentials.

We use a command like this to create the plist for a share, then upload to a Configuration Profile, scope, and you're done:

defaults write ~/Desktop/com.apple.Enterprise-Connect.plist shares '( { path = " smb://hostname.domain.com/Share"; } )'

Loving how Enterprise Connect mounts the shares when you're on the network.

If you want to unmount the shares for any reason, just go back to the Enterprise Connect menu > Reconnect.

Very slick.

Don

@donmontalvo thanks for the response Don! As it turns out we had some RPC dynamic ports blocked on our network ACLs so it was forcing network mounts to use NTLM instead of kerberos. Our managed share mappings are working over kerberos again

We just started rolling this out. But where are the system requirements for Enterprise Connect?
Thank you,
John

I'm pretty confident Apple PS will not mind me sharing this:

Requirements
Enterprise Connect requires the following:
OS X Yosemite (10.10) or later
An Active Directory domain
Connectivity to the network hosting the Active Directory domain An Active Directory account

anyone has an info on the next demo for Enterprise Connect?

Thanks

Will Touch ID on MacBook Pro work with Enterprise Connect?

@warro If you are asking, will TouchID input local credentials into the Enterprise Connect app... then no, and you probably wouldn't want it to, as you will be asking your users to enter their AD credentials there. One feature of Enterprise Connect is that it can change your local account password to match your AD credentials. If you do that, TouchID will enter those credentials when asked for a local account password.

Does this help?

Next Enterprise Connect webinar 12:15pm Eastern Tuesday September 25 is available for signup at: https://tinyurl.com/EC42Reg

Apple PS: Enterprise Connect Demo 42
Tuesday, September 25, 2018
11:15 am | Central Daylight Time (Chicago, GMT-05:00) | 2 hrs

Does anyone have documentation about the network, system and/or other requirements for the PKI version of Enterprise Connect? I have sent Apple multiple emails with zero response.

Love Enterprise Connect!!

How would this work with remote users? We have a rather large remote user presence and do not use an AO-VPN solution.

@afarnsworth In our experience with remote users, they only need to sign in to VPN for Password changes, access to network shares, access to intranet and/or require kerberos or other certificates. We utilize local accounts and this works well for our remote employees.

Hi @rjlemmon we have had Enterprise Connect deployed for some months, but today I had a chance to be a user. :)

My password expired...oops...sorry Enterprise Connect, I ignored you (it was busy I swear!).

I called our Help Desk and asked for a temporary (one time use) password, they gave me something easy to remember like 123Oopsie.

I was logged in with my old password OldPassword01 (sanitized!), so I rebooted my computer to start a test.

Computer is now up, I'm at the FileVault 2 pre-boot screen, and my old password OldPassword01 works as expected.

I'm taken to the macOS Login Window, where I'm prompted for my password...I enter the temporary (one time use) password 123Oopsie.

I'm prompted to change my password, which I change to NewPassword01 (sanitized!), and I'm taken to my Desktop.

I reboot the computer, to see if Enterprise Connect syncs my new password NewPassword01 with FileVault 2.

I'm back at the FileVault 2 pre-boot screen, my new password NewPassword01 does not work, but my old password *OldPassword01 works.

I'm taken to the macOS Login Window again, where I'm prompted for my password...I enter the new password NewPassword01.

I reboot again.

I'm back at the FileVault 2 pre-boot screen.

I enter my new password NewPassword01, I'm taken to my Desktop.

It appears the second reboot resulted in my new password NewPassword01 syncing to FileVault 2.

SUMMARY: The above is a possible scenario where a user has a brain fart (guilty!), forgets to change his or her password, and goes through a Help Desk temporary password scenario...does this scenario represent what a user should expect to go through (um, pretend the user did NOT have a brain fart but for some other reason didn't change his or her password before it expired.

Just wanted to check before we start having techs repeat the above steps, to see if this is another article we need for our Help Desk to be aware, and to inform users.

TIA,
Don

@donmontalvo We have also observed that it takes two restarts for machines to sync up FileVault with a newly changed password, both in the instance of the scenario you outlined, as well as when a not yet expired password is changed through EC.

A solution from EC to eliminate the restart requirements for FV sync would be great.

Yea, I learned this one the hard way. During our last major onboarding, I ended up having to make a mad rush to User Approved MDM (Yes, you've all been telling me for a while now) and ended up using EC credentials to recreate new BYOD users pre-existing local accounts using AD usernames and passwords (Brilliant right!). A number of new users ended up rebooting before the FV2 sync and were presented with the old FV2 Username (Account technically Deleted). When they logged back in with those credentials, the OS was kind enough to create them a new, FV2 Approved, empty user account. A few users showed up very concerned that all of their stuff was deleted! It was simple enough to get the users back into the proper account and fix the FV2 users list, but it was very awkward. More interesting were the users I had to track down because they simply didn't seem to care that all of their files disappeared!

Hello All - thank you for sharing all of this (especially @donmontalvo for the plist example for adding shares via a Profile).

Silly question - is there any publicly available documentation for Enterprise Connect? I inherited a configuration and would like to review/modify our EC audit script but cannot find any references to this online. Or is this a situation where we need to contact Apple for support? We purchased EC previously but have no support information that I am aware of.

I appreciate any guidance or ideas.

Thank you again,
-Neil

@nssabol As part of the Apple Enterprise Connect download, there are example scripts and a (last count: 36) PDF guide included in the .zip file. If you need more than that, reach out to Apple Support.

I’m surprised to see this thread still running.

This is something I’m rather passionate about. But I disagree with using any additional tools for AD and DFS integration.

Windows integrates just fine into AD and uses DFS just fine and yes I get it windows in a windows world. They do not have a 5k tool for enterprise level integration. I don’t see why anyone should be asked by apple to pay for something that should be native in the OS if apple hopes to compete against windows and Linux for corporate desk space. The added costs of these tools is largely what turns off our company from accepting more macs into the environment.

On that note, I have had considerable trouble with SMBv3 and Windows DFS servers 2012 and later. Seems smbv2 however resolved those issues. And on AD binding, jamf gives you the tools to detect when a Mac drops off the domain and execute a rebind. That coupled with preferred DC ( if your company forgot to assign VLans to DC's) adding the proper search domains in order (if you have multiple domains) and a script for Kerberos renewals and you should be set. My kerb ticket renewal is currently manual but auto renewal is something I do want to look into time permitting especially since the Biometric scanner on Mac does not renew your Kerb ticket, only a login by password does. However it appears connecting to a DFS share does also renew a Kerb ticket at least for the newer OS releases.

Oh and of course everyone’s favorite, turn off smb signing in nsmb.conf and block .DS_Store files on DFS shares to get a speed boost and help prevent file locks.

And it seems it’s only Apple with these issues. Though I do not have personal experience with running Linux in our environment I do know they don’t report these issues when bound to the domain and surfing the dfs on redhat. Seems Mac specific SMB stack just isn't fully baked like it should be.

I will stick to the hard way, it seems to be more reliable for us than another app to buy and update every year.

I'm surprised this thread is still going - still interest in this.

@rjlemmon , or, anyone else on here. I'm looking to use some bits of Enterprise Connect into a "Computer Info" script I'm using. (Computer Info script came from here: https://www.jamf.com/jamf-nation/discussions/29208/build-a-computer-information-script-for-your-help-desk#responseChild177646)

I would love to bring in the part from Enterprise Connect that notifies the current user how many days until their password expires into the Computer Info script. In that link I provided someone else mentioned that they implemented EC with the Computer Info script, however, I'm unable to get it to work.

Does anyone know what script I would use to call the current user information and to output how many days until their password expires? Thanks in advance for your help!

This is of course specific to each user, hope this helps:

$ defaults read ~/Library/Preferences/com.apple.Enterprise-Connect datePasswordExpires
2019-01-27 00:19:31 +0000

Merry Christmas!

Thank you @donmontalvo! I actually went with daysToExpire, however, your post is what helped to get me there. Merry Christmas to you!