About Enterprise Connect

rjlemmon
New Contributor II

Hi all,

This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.

Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:

Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.

It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.

Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.

There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.

You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.

I'll be following this thread, so please respond with any questions.

243 REPLIES 243

rickwhois
Contributor

Enterprise Connect started asking for the username and password when mounting my network share. I swear this didn't start happening until upgrading to 1.9.0. Is this setting stored somewhere? I forget it's been so long since I configured this and haven't had to address it.

mattosaur4
New Contributor II

@rjlemmon Does it support logging onto multiple trusted domains in a Forest by chance?

Matt

rangal
New Contributor

Does High Sierra natively support Smart Card authentication in a AD environment? Ie without Centrify/other 3rd party software?

noahdowd
Contributor

It does! Check out man SmartCardServices and this link: https://support.apple.com/en-us/HT208372

metzingert
New Contributor

Hi everyone, Amaris Company is able to deliver The Apple Enterprise Connect licence for EMEA.
You can contact me to get more information about it.
Sincerely.

donmontalvo
Esteemed Contributor II

@rickwhois we are using 1.9.1 and have Configuration Profiles scoped to LDAP groups to map out department shares.

Computers are (currently) bound to Active Directory, users never get prompted for credentials.

We use a command like this to create the plist for a share, then upload to a Configuration Profile, scope, and you're done:

defaults write ~/Desktop/com.apple.Enterprise-Connect.plist shares '( { path = " smb://hostname.domain.com/Share"; } )'

Loving how Enterprise Connect mounts the shares when you're on the network.

If you want to unmount the shares for any reason, just go back to the Enterprise Connect menu > Reconnect.

Very slick.

Don

--
https://donmontalvo.com

rickwhois
Contributor

@donmontalvo thanks for the response Don! As it turns out we had some RPC dynamic ports blocked on our network ACLs so it was forcing network mounts to use NTLM instead of kerberos. Our managed share mappings are working over kerberos again

johnmcnair
New Contributor III

We just started rolling this out. But where are the system requirements for Enterprise Connect?
Thank you,
John

jcompton
Contributor

I'm pretty confident Apple PS will not mind me sharing this:

Requirements
Enterprise Connect requires the following:
OS X Yosemite (10.10) or later
An Active Directory domain
Connectivity to the network hosting the Active Directory domain An Active Directory account

khey
Contributor

anyone has an info on the next demo for Enterprise Connect?

Thanks

warro
New Contributor

Will Touch ID on MacBook Pro work with Enterprise Connect?

Chris_Hafner
Valued Contributor II

@warro If you are asking, will TouchID input local credentials into the Enterprise Connect app... then no, and you probably wouldn't want it to, as you will be asking your users to enter their AD credentials there. One feature of Enterprise Connect is that it can change your local account password to match your AD credentials. If you do that, TouchID will enter those credentials when asked for a local account password.

Does this help?

ccarlton
New Contributor II
New Contributor II

Next Enterprise Connect webinar 12:15pm Eastern Tuesday September 25 is available for signup at: https://tinyurl.com/EC42Reg

Apple PS: Enterprise Connect Demo 42
Tuesday, September 25, 2018
11:15 am | Central Daylight Time (Chicago, GMT-05:00) | 2 hrs

tneubauer
New Contributor

Does anyone have documentation about the network, system and/or other requirements for the PKI version of Enterprise Connect? I have sent Apple multiple emails with zero response.

jmariani
Contributor

Love Enterprise Connect!!

afarnsworth
Contributor

How would this work with remote users? We have a rather large remote user presence and do not use an AO-VPN solution.

randy
New Contributor

@afarnsworth In our experience with remote users, they only need to sign in to VPN for Password changes, access to network shares, access to intranet and/or require kerberos or other certificates. We utilize local accounts and this works well for our remote employees.

donmontalvo
Esteemed Contributor II

Hi @rjlemmon we have had Enterprise Connect deployed for some months, but today I had a chance to be a user. :)

My password expired...oops...sorry Enterprise Connect, I ignored you (it was busy I swear!).

I called our Help Desk and asked for a temporary (one time use) password, they gave me something easy to remember like 123Oopsie.

I was logged in with my old password OldPassword01 (sanitized!), so I rebooted my computer to start a test.

Computer is now up, I'm at the FileVault 2 pre-boot screen, and my old password OldPassword01 works as expected.

I'm taken to the macOS Login Window, where I'm prompted for my password...I enter the temporary (one time use) password 123Oopsie.

I'm prompted to change my password, which I change to NewPassword01 (sanitized!), and I'm taken to my Desktop.

I reboot the computer, to see if Enterprise Connect syncs my new password NewPassword01 with FileVault 2.

I'm back at the FileVault 2 pre-boot screen, my new password NewPassword01 does not work, but my old password *OldPassword01 works.

I'm taken to the macOS Login Window again, where I'm prompted for my password...I enter the new password NewPassword01.

I reboot again.

I'm back at the FileVault 2 pre-boot screen.

I enter my new password NewPassword01, I'm taken to my Desktop.

It appears the second reboot resulted in my new password NewPassword01 syncing to FileVault 2.

SUMMARY: The above is a possible scenario where a user has a brain fart (guilty!), forgets to change his or her password, and goes through a Help Desk temporary password scenario...does this scenario represent what a user should expect to go through (um, pretend the user did NOT have a brain fart but for some other reason didn't change his or her password before it expired.

Just wanted to check before we start having techs repeat the above steps, to see if this is another article we need for our Help Desk to be aware, and to inform users.

TIA,
Don

--
https://donmontalvo.com

diradmin
Contributor II

@donmontalvo We have also observed that it takes two restarts for machines to sync up FileVault with a newly changed password, both in the instance of the scenario you outlined, as well as when a not yet expired password is changed through EC.

A solution from EC to eliminate the restart requirements for FV sync would be great.

Chris_Hafner
Valued Contributor II

Yea, I learned this one the hard way. During our last major onboarding, I ended up having to make a mad rush to User Approved MDM (Yes, you've all been telling me for a while now) and ended up using EC credentials to recreate new BYOD users pre-existing local accounts using AD usernames and passwords (Brilliant right!). A number of new users ended up rebooting before the FV2 sync and were presented with the old FV2 Username (Account technically Deleted). When they logged back in with those credentials, the OS was kind enough to create them a new, FV2 Approved, empty user account. A few users showed up very concerned that all of their stuff was deleted! It was simple enough to get the users back into the proper account and fix the FV2 users list, but it was very awkward. More interesting were the users I had to track down because they simply didn't seem to care that all of their files disappeared!

nssabol
New Contributor II

Hello All - thank you for sharing all of this (especially @donmontalvo for the plist example for adding shares via a Profile).

Silly question - is there any publicly available documentation for Enterprise Connect? I inherited a configuration and would like to review/modify our EC audit script but cannot find any references to this online. Or is this a situation where we need to contact Apple for support? We purchased EC previously but have no support information that I am aware of.

I appreciate any guidance or ideas.

Thank you again,
-Neil

NickKoval
Contributor
Contributor

@nssabol As part of the Apple Enterprise Connect download, there are example scripts and a (last count: 36) PDF guide included in the .zip file. If you need more than that, reach out to Apple Support.

Sturner01
New Contributor

I’m surprised to see this thread still running.

This is something I’m rather passionate about. But I disagree with using any additional tools for AD and DFS integration.

Windows integrates just fine into AD and uses DFS just fine and yes I get it windows in a windows world. They do not have a 5k tool for enterprise level integration. I don’t see why anyone should be asked by apple to pay for something that should be native in the OS if apple hopes to compete against windows and Linux for corporate desk space. The added costs of these tools is largely what turns off our company from accepting more macs into the environment.

On that note, I have had considerable trouble with SMBv3 and Windows DFS servers 2012 and later. Seems smbv2 however resolved those issues. And on AD binding, jamf gives you the tools to detect when a Mac drops off the domain and execute a rebind. That coupled with preferred DC ( if your company forgot to assign VLans to DC's) adding the proper search domains in order (if you have multiple domains) and a script for Kerberos renewals and you should be set. My kerb ticket renewal is currently manual but auto renewal is something I do want to look into time permitting especially since the Biometric scanner on Mac does not renew your Kerb ticket, only a login by password does. However it appears connecting to a DFS share does also renew a Kerb ticket at least for the newer OS releases.

Oh and of course everyone’s favorite, turn off smb signing in nsmb.conf and block .DS_Store files on DFS shares to get a speed boost and help prevent file locks.

And it seems it’s only Apple with these issues. Though I do not have personal experience with running Linux in our environment I do know they don’t report these issues when bound to the domain and surfing the dfs on redhat. Seems Mac specific SMB stack just isn't fully baked like it should be.

I will stick to the hard way, it seems to be more reliable for us than another app to buy and update every year.

bcbackes
Contributor II

I'm surprised this thread is still going - still interest in this.

@rjlemmon , or, anyone else on here. I'm looking to use some bits of Enterprise Connect into a "Computer Info" script I'm using. (Computer Info script came from here: https://www.jamf.com/jamf-nation/discussions/29208/build-a-computer-information-script-for-your-help-desk#responseChild177646)

I would love to bring in the part from Enterprise Connect that notifies the current user how many days until their password expires into the Computer Info script. In that link I provided someone else mentioned that they implemented EC with the Computer Info script, however, I'm unable to get it to work.

Does anyone know what script I would use to call the current user information and to output how many days until their password expires? Thanks in advance for your help!

donmontalvo
Esteemed Contributor II

This is of course specific to each user, hope this helps:

$ defaults read ~/Library/Preferences/com.apple.Enterprise-Connect datePasswordExpires
2019-01-27 00:19:31 +0000

Merry Christmas!

5342b6738c1e4453ae7941bd05c7459f

--
https://donmontalvo.com

bcbackes
Contributor II

Thank you @donmontalvo! I actually went with daysToExpire, however, your post is what helped to get me there. Merry Christmas to you!

donmontalvo
Esteemed Contributor II

@bcbackes whoops looks like I copy/pasted the wrong key. Boy this eggnog is good! ;)

Corrected:

$ defaults read ~/Library/Preferences/com.apple.Enterprise-Connect daysToExpire
33
--
https://donmontalvo.com

chriskowalski
New Contributor

Do you happen to know if the AD option - "user must change password at next logon" will be tested/checked when connecting with Enterprise Connect?
Right now if we set this on the account in AD, a user is unable to sign in... where it should simply be prompted with relevant dialog boxes to change the password.... Thanks

david_yenzer
Contributor II

It appears we are about to get Enterprise Connect in our district with our next order. Got a demo that tested positively and appears that it will work for our staff laptops (shared devices would still need joined to the domain).

KyleEricson
Valued Contributor

Is AEC dead now that macOS 10.15 has this built in?

Hire me as a independent contractor.

mbezzo
Contributor III

Was definitely thinking this as I watched the WWDC preso called "What's New in Managing Apple Devices"! It says that the extension is based on EC - so sounds like it is a replacement?

scottb
Honored Contributor

@mbezzo @kericson - I've read this now in a couple places, but can't find specifics on it. Would be nice to know more on this...going to search the dev portal, but so far, this thread is as close as I've come to it.

KMerendaTFMC
New Contributor III

I think it's safe to say that EC is going away. I received an email from Apple Pro Services last week, with the following line:

...*With these changes, we’d like you to begin testing and planning an eventual migration away from Enterprise Connect. Although we will continue to provide critical maintenance updates for Enterprise Connect for at least one year, we will be focusing new development efforts on functionality related to the new extension

Additional documentation and test plans around the new functionality will be published through AppleSeed for IT throughout the summer. Feedback should be submitted through Feedback Assistant for any kind of single sign-on functionality going forward..*

scottb
Honored Contributor

@KMerendaTFMC - thanks for that. Pretty much spells it out!

SSO…

gachowski
Valued Contributor II

Anybody find any documentation for enterprise connect in Catalina? I haven't seen anything on the Appleseed pages..

Thanks

C

KMerendaTFMC
New Contributor III

@gachowski The Apple developer documentation for the MDM API has some bits on the Kerberos SSO extension payload for config profiles, if I remember correctly. When I reviewed it (a few months ago) the documentation was very limited.

gachowski
Valued Contributor II

I found it ... it's all in the seed program, but it's the seed program for ABM accounts. My normal seed account wasn't linked to our ABM accounts.

C

kstrick
Contributor III

I know that the SSO extension is going to be replacing most of the functionality of Enterprise Connect (and EC may be EOL as a consequence), but does anyone know if EC 2.0.x will work fine with Catalina?
I'm really just thinking of it as a stop-gap measure if we don't get the SSO extension working right away...

Danko
New Contributor III

@kstrick Enterprise Connect is fully supported with Catalina.

beeboo
Contributor

how are you guys getting EC 2.x? we have 1.9.5 (1) and i have no clue where to even get updates.

the app signature expired on our EC app so now users are unable to deploy it.

while i know theres 2 options:
1. expand and flatten without a signature
2. cache it then run a command to install package with -allowuntrusted

if would be better if we could test a later/newer version, especially since theres a residual package distributed with EC 1.9.5 called "Install Enterprise Connect First Launch.dmg" that im not quite sure what it does :(

is the download only from a dev link?