Posted on 11-06-2015 12:03 PM
This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.
Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:
Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.
It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.
Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.
There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.
You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.
I'll be following this thread, so please respond with any questions.
Posted on 11-06-2015 12:10 PM
Thanks for offering up the information. As you can imagine, we have customers with AD challenges over here in the UK too so U.S based only isn't all that great.
Posted on 11-06-2015 12:10 PM
It seems like Enterprise Connect has a pretty good feature set. Is there any reason that Apple has opted to not include this in the base operating system or even make it available via the Mac App Store?
Posted on 11-06-2015 12:11 PM
My biggest question about this product is it's potential usefulness in terms of DEP deployed Macs.
The biggest thing holding us back from a DEP implementation is AD integration. We have many remote users who would be unable to connect to the domain to create mobile accounts. Even for users on our domain the initial account created is still a local account so there would still be some polciy magic involved to switch them over to a bound mobile account.
Would this allow us to deploy using DEP and offer our users all of the benefits of using the AD credentials without actually having to bind to our domain? How exactly does this handle the linking of their local account with their AD account? does it enforce our AD password requirements on the local account as well or would that still have to be managed by profiles?
Posted on 11-06-2015 12:12 PM
Posted on 11-06-2015 12:18 PM
+1 for @bpavlov's question. As it's purpose is to improve AD integration, I'd be interested to hear the reasons why it's not included in the OS by default.
Posted on 11-06-2015 12:18 PM
Posted on 11-06-2015 12:23 PM
@bpavlov, @rjlemmon may have a more direct answer for you, but from the presentation I attended on Enterprise Connect, although it wasn't stated explicitly, I got the distinct impression this tool was born out of the need the Apple enterprise support team felt was needed from listening to what was probably years of complaining from customers about how poorly Apple's OS works with AD and other LDAP environments.
All this is to say that it doesn't sound like Apple's upper management is interested in integrating this into the OS at this time, but gave the enterprise support folks the freedom to create, develop and promote this tool to help address this need.
This is all just speculation based on "reading between the lines" if you will. It was what wasn't said on the call that spoke louder than what was mentioned.
@hkabik We are in a similar boat. I don't anticipate ever being able to convince management here to move away from cached AD local accounts for our managed/company owned Macs. DEP makes that very challenging because of how its designed around setting up a local account. DEP is really more about using the OS OOB and getting it enrolled into management, rather than getting them joined to AD or using AD accounts.
While I can see the possibility of it still being done to use AD, boy it would be incredibly tricky. Policy magic indeed!
Posted on 11-06-2015 12:27 PM
@bpavlov - Enterprise Connect is a product of Apple Professional Services. Please file a feature request or a bug if you’d like to see it added to the operating system or distributed in the Mac App Store.
@hkabik - In your case, you'd use Enterprise Connect after you've gone through setup via DEP and make a local account. You'd use a profile to manage password policy on this local account. You'd then launch Enterprise Connect and sign in with your AD account. Once you did this, Enterprise Connect would get you a Kerberos TGT, check your AD password, etc. Enterprise Connect does nothing to make your local account a mobile account - it just lets you do some AD type things like Kerberos from a local account.
Posted on 11-06-2015 12:27 PM
@hkabik That may be the price, but it doesn't answer why it's not included in the base OS. Obviously Apple has support for other standards widely used in enterprise already built-in to OS X so why not include this in the OS? From Microsoft, I expect them to break out feature sets by having different versions of Windows. But I don't expect that from Apple. I'm sure there's a good reason though.
Posted on 11-06-2015 12:27 PM
I'm responding so I can be updated on the thread as more info comes in.
Posted on 11-06-2015 12:31 PM
@rjlemmon Can I just say it's awesome to have Apple reaching out some more about this.
Peter Beninate also opened an #enterprise-connect channel on the macadmins.org Slack.
But I'm sad at only US & echo @bpavlov's comments that this should be in the OS.
I'm one of the maintainers of ADPassMon, which was written to overcome some issues that EC would address.
Posted on 11-06-2015 12:33 PM
"Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount."
I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login. Mapping drives automatically is pretty simple.
Unless it allowed for me to manage specific variables on the mac (group policy style), I don't see the value. 5k for this? Sounds like a money grab to me. This kind of stuff should be included in the base OS.
Posted on 11-06-2015 12:33 PM
I supplied feedback at http://www.apple.com/feedback/macosx.html to have this included in the OS. If I should be supplying the feedback somewhere else, please let me know. Thanks @rjlemmon for reaching out to the community like this.
Posted on 11-06-2015 12:39 PM
I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login.
Yes, because Mac users log out and log in all the time, don't they.
Sorry, but while I agree maybe this shouldn't cost $5k, being able to be notified of pending password expiration while logged in is not exactly useless, so I can't really agree with you there. Also, it shows you your account information within a menu item, so its pretty handy for users to be able to access this.
Lastly, I got the impression professional services is open to adding new features to the product as they go. Its kind of new.
Posted on 11-06-2015 12:39 PM
Yeah, I'm really going to have to see this thing to get my head around what the $5K value is. I'm not seeing anything I don't already get from ADpassmon, Kerbminder and some very simple scripting.
I'm not writing it off at all, I'm just not quite getting it yet.
One way or the other I think it's great that Apple is actively communicating with us on something that has been a bit of a mystery to a lot of us. Thanks! Can't wait to hear more about it.
Posted on 11-06-2015 12:44 PM
@hkabik Those of us whom write those tools you mentioned (& glad you use them :) ) would be happy to see this as an OS feature... we'd probably still tinker.. but the need would be lessened.
Posted on 11-06-2015 12:50 PM
We'd hate for you to get bored. ;)
Plus I like your price tag better than their's so far. :P
In all seriousness your fork of Adpassmon was world changing for password management here... so while I'm all gung ho for an Apple product to retire the need for your extra curricular work, WOW am I appreciative for the work you've done.
Posted on 11-06-2015 12:52 PM
All, thanks for all of the questions and feedback. I'm responding as quickly as I can, so please be patient :)
@tnielsen - It is true that current AD integration allows you to change your password at login. However, this depends on two things. First, your user must actually log out and log in to be prompted. Many users don't do this on a regular basis. Logouts consist of closing the lid and logins consist of entering a screensaver password. Also, the user must have a network connection at the login window for this to work. Unless you are using Ethernet or system level wi-fi authentication, many users won't have this in place.
Regarding network shares, there's a variety of ways you can mount network shares (login items, scripts, etc). Enterprise Connect is different in that when these shares get disconnected, like when you leave your corporate network, Enterprise Connect automatically remounts them when your network comes back online.
I should also add that Enterprise Connect is delivered as part of a Professional Services engagement. The price is $5500 and includes 2 days onsite with one of our engineers. Travel and expenses are included as well. During this engagement, we test Enterprise Connect on your network and make sure it is working properly. Some customers have unusual AD configs, etc that we need to adjust for. We also give you a "deep dive" on the tool itself, help you decide how to deploy it, etc. With any remaining time, we can help you work on any other issues or questions you have about your Mac deployment (as time permits).
Posted on 11-06-2015 12:53 PM
@hkabik Thanks! The recent merging was largely the work of Peter Bukowinski & @ftiff has made massive changes to KerbMinder to improve things even further.
Stuff like this, might get re-jigged to be apart of the suite at sometime too...
Well that was one plan.. the other is to get EC into the OS then we can work on $theNextThing
Posted on 11-06-2015 01:03 PM
The professional services angle clears it up for me. Perhaps lots of feature requests would get the attention and interest of Apple management.
And just to repeat the link... http://www.apple.com/feedback/macosx.html
Posted on 11-06-2015 01:07 PM
@rjlemmon Thanks for the look into this product.
It would be nice if the product could be made available "as-is, with no support or guarantee of usability or functionality" for those who want to forge ahead on their own without the professional services engagement. I do get why that might not be likely, though.
Of course, having the software integrated into the OS would work as well. :)
Posted on 11-06-2015 01:21 PM
Thanks @rjlemmon, it's great to see Apple opening up their communication with its community !
I first heard about Enterprise Connect two weeks ago and almost thought it was a scam :-)
I'd love to see it in action. As I'm in Europe, I extended a bit pmbuko's KerbMinder to make it work without being bound to AD. I hope we will integrate things a bit further and involve the community to make something better, @bentoms has a good idea here.
I cross my finger to have EC released someday either in open source or in the OS.
Posted on 11-06-2015 03:04 PM
HI @rjlemmon ,
Remember your name from a few years back, at a company where we used some Apple Pro Services---
Nice to see you're still at Apple.
Does free users from needing computer objects being created in AD?
So far, it seems like the solution is best deployed in a DEP environment, but is there something that makes it worth using in an environment where we are used to binding? (I know Apple is pushing DEP big, but not every solution is necessarily benefited by it).
I also echo what others have said about it being open source and/or part of the base OS. I dislike the lack of information about it out there, but appreciate that you are reaching out.
Posted on 11-06-2015 03:43 PM
@kstrick - Wow, that was quite awhile ago, good to hear from you!
If you use Enterprise Connect on an unbound system, there is no need to create a computer object in AD. There's also no process you need to go through to bind it to a domain. You just feed it a domain name, AD username and password and you're good to go.
If you use it while bound and logged in with an AD account, it ensures you always have a Kerberos ticket when you're on the corporate network (wi-fi and VPN included), you get notifications when your password is going to expire, you can use Enterprise Connect to change your AD password, and it eases the management of network share points.
Posted on 11-06-2015 03:56 PM
@rjlemmon Hi. I sat in on a demo of Enterprise Connect about a month back, and one of the things I recall about it seems important to mention on this thread. In relation to what you posted with:
You just feed it a domain name, AD username and password and you're good to go.
If I recall now, most of the same holds true for when using it on an AD bound Mac and logged into a cached AD mobile account, meaning, you still must feed it a username and password to configure the application (or is it only the password now, I can't recall) But essentially, it will not read the AD account's information and automatically just work. The client still must enter their credentials at least once to configure it for use with their account. Correct?
I do seem to remember that it has the ability to accept Configuration Profiles for setting up some of the items though. Maybe that's something you can elaborate on a little when you can, since I'd imagine many folks here would be interested in hearing about the configurability of the application. We're all about automation here after all.
Posted on 11-06-2015 04:21 PM
For those who are interested... My Apple Rep mentioned that they are having a call next Friday the 13th to go over Enterprise Connect with a Q/A session at the end.
Posted on 11-06-2015 04:28 PM
@mm2270 You're correct on both things. If you're logged into your Mac with an AD mobile account, it'll pick up the username and domain at first launch. The user just needs to enter their password and sign in. They don't need to sign in again unless their password changes or there is some problem with their AD account. For the most part, once its set up, the app runs in the menu bar and does its thing without user intervention. Users will just see the color of the app's icon change. It's yellow when your Mac isn't on the corporate network and green when it is.
And yes, the application can also be configured with a configuration profile. You can configure most settings using the Custom Settings payload of a profile. Casper does a great job of deploying this profile. Yes, EC does the right thing when a setting is configured with a profile - the configured settings get disabled in the UI so the user knows they cannot be changed.
Speaking of automation, Enterprise Connect can also execute a script whenever it goes through its connection process. We intended this to be used to audit a system prior to connecting. Think of something like host checking in a VPN client. For example, you could write a script to check if FileVault is on. If it's not on, and the script has an exit status != 0, Enterprise Connect stops the connection process, tells the user their system isn't compliant and to call the help desk. Really though, you could make the script do whatever you want it to. The only catch is that the script runs as the logged in user, so you can't do anything as root.
Bonus item - the app is also AD site aware. EC chooses a random domain controller when doing a site lookup, but once EC has determined your site, it uses local domain controllers for LDAP queries, Kerberos, etc. Again, your Mac does not need to be domain bound for this to work.
Posted on 11-06-2015 06:04 PM
@ShaunM9483 Correct, we're running a WebEx on 13 Nov on Enterprise Connect. If anyone would like to learn more and get the information for this session, please email me at "jay" "eff" "enn" (sound those out) @apple.com and I can get you the registration link.
I'm also happy to provide an introduction to your account team of you don't already know them.
Posted on 11-06-2015 06:47 PM
@jarednichols @rjlemmon It would be fantastic to see this outside of the US soon. I spoke to our Apple SE here about Enterprise Connect as we currently develop our own tool to perform these functions. If there is anything we can do to help untie it from Professional Services as we do not have this service in Australia please point me in the right direction. I know that many other Universities here would be interested based on the discussions we have had around our in-house tool. Is the WebEx available to people outside the US?
Posted on 11-07-2015 04:46 AM
I also share @davidacland and @bentoms views here. This should really be part of the OS especially if new deployment methods are to use DEP (which I prefer!).
Posted on 11-07-2015 12:30 PM
Wow!! This really needs to be included in the OS or at the very least made available outside the US.
Posted on 11-07-2015 09:14 PM
I agree that it'd be nice if it was included in the OS... but there's enough uniqueness in everyone's AD deployments to make that troublesome. I've got my fingers crossed, and I've emailed to get in on the WebEx.
@rjlemmon How quickly will Enterprise Connect expected to get updated after a major OS release? Is the expectation within days or quarters of the release of something like 10.12 for example.
Posted on 11-08-2015 02:01 AM
Does EC do anything for keychain issues for bound systems?
Very happy to hear Apple are developing in this area and would love to see this built in and to be made available "as is" for us all to try it out.
Posted on 11-08-2015 06:01 PM
Thanks a lot for the feedback so far.
@cwaldrip We've been staying on top of OS releases. For example, with El Capitan, EC was ready to go well before it shipped. That's our goal going forward.
@psmac It depends. By "keychain issues", I assume you're talking about the Keychain password falling out of sync if a user changes their AD password somewhere other than their Mac. If a user does this, Enterprise Connect won't get the Keychain password back in sync.
However, if your user either uses Enterprise Connect to change their password, or uses a local account + Enterprise Connect, you should be okay. If you use EC to change your password while logged in with an AD account on a bound system, EC will change your AD password, mobile account password, FileVault password and the password for your default keychain (usually login). Using a local account sidesteps the issue entirely.
Posted on 11-09-2015 05:20 AM
I think I understand some of what Enterprise Connect is about now after reading this thread and a previous one from back in June. We are required to bind every computer to AD, and we get all our password expirations taken care of with ADPassMon. You say it can be used to mount AD Network home shares. Can it also mount all the network drives (H: M: O: Q: R:...) the users would see if they logged in on a Windows PC without the user having to know the server path? Unless there's some other magic going on behind the curtain, I don't see how paying $5500 for this tool would benefit us.
And why the secrecy? Why is there no public facing webpage to explain this product?
Posted on 11-09-2015 09:04 AM
Does EC still not change the password of a local non-AD account when the AD account password is updated through EC? If not, is this in the roadmap or something that could be added as a one off to the product during an onsite?
Posted on 11-09-2015 09:37 AM
Posted on 11-09-2015 09:43 AM
Rick will need to respond, but I was not under the impression that by "Enterprise" it meant not for education. I can't see why Apple would exclude education from being able to use it.
Of course, the price tag may make it a little harder to swallow for smaller EDU environments. Maybe not as much for higher ed.
Posted on 11-09-2015 10:41 AM
@Eigger , @rjlemmon can probably confirm this, but Apple came out to Boston a few weeks ago and did a "what's up and coming" from Apple to Higher Ed. It was all college folks there and we were all introduced to DEP, VPP, & EC and asked to reach out to our reps to get on the list. We haven't gotten pricing on this yet, so it is not clear if edu will get special pricing on it. My guess is everyone will pay the same price via Apple Professional Services.