Skip to main content

Hi all,



This is Rick Lemmon from Apple Professional Services. I'm happy to answer any questions you have around Enterprise Connect. For those of you who are unfamiliar with the tool, it provides a good level of Active Directory integration for Macs that are not domain bound. It also enhances AD integration for Macs that are domain bound and have a user logging in with an AD account.



Enterprise Connect is simply an application. Once it has been set up, it resides in your menu bar. Specifically, Enterprise Connect provides:



Kerberos SSO support: Enterprise Connect includes a built in Kerberos client and ensures that your users have a Kerberos TGT.
Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount.



It works great if you are bound to an AD domain, but again, there is no requirement to bind to the domain to use it. It works great from a local account on an unbound system.



Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available, and if it is, it will acquire a Kerberos TGT, check password expiration and re-mount your shares if they have disconnected. It is also triggered by wakes from sleep and in a couple of other situations.



There's also a lot of other useful features (configuration profile support, can run scripts, etc) but for the sake of brevity I'll leave those things for later.



You may be asking "How do we get it?" or "Can I see a demo?". Please contact your Apple account team for more information on these subjects. Also, Enterprise Connect is only available to USA based customers.



I'll be following this thread, so please respond with any questions.

Hi Rick,



Thanks for offering up the information. As you can imagine, we have customers with AD challenges over here in the UK too so U.S based only isn't all that great.


Hi @rjlemmon,



It seems like Enterprise Connect has a pretty good feature set. Is there any reason that Apple has opted to not include this in the base operating system or even make it available via the Mac App Store?


My biggest question about this product is it's potential usefulness in terms of DEP deployed Macs.



The biggest thing holding us back from a DEP implementation is AD integration. We have many remote users who would be unable to connect to the domain to create mobile accounts. Even for users on our domain the initial account created is still a local account so there would still be some polciy magic involved to switch them over to a bound mobile account.



Would this allow us to deploy using DEP and offer our users all of the benefits of using the AD credentials without actually having to bind to our domain? How exactly does this handle the linking of their local account with their AD account? does it enforce our AD password requirements on the local account as well or would that still have to be managed by profiles?


@bpavlov



The price is over $5K so it's really not suited for the App store.


+1 for @bpavlov's question. As it's purpose is to improve AD integration, I'd be interested to hear the reasons why it's not included in the OS by default.



@bpavlov, @rjlemmon may have a more direct answer for you, but from the presentation I attended on Enterprise Connect, although it wasn't stated explicitly, I got the distinct impression this tool was born out of the need the Apple enterprise support team felt was needed from listening to what was probably years of complaining from customers about how poorly Apple's OS works with AD and other LDAP environments.
All this is to say that it doesn't sound like Apple's upper management is interested in integrating this into the OS at this time, but gave the enterprise support folks the freedom to create, develop and promote this tool to help address this need.
This is all just speculation based on "reading between the lines" if you will. It was what wasn't said on the call that spoke louder than what was mentioned.



@hkabik We are in a similar boat. I don't anticipate ever being able to convince management here to move away from cached AD local accounts for our managed/company owned Macs. DEP makes that very challenging because of how its designed around setting up a local account. DEP is really more about using the OS OOB and getting it enrolled into management, rather than getting them joined to AD or using AD accounts.
While I can see the possibility of it still being done to use AD, boy it would be incredibly tricky. Policy magic indeed!


@bpavlov - Enterprise Connect is a product of Apple Professional Services. Please file a feature request or a bug if you’d like to see it added to the operating system or distributed in the Mac App Store.



@hkabik - In your case, you'd use Enterprise Connect after you've gone through setup via DEP and make a local account. You'd use a profile to manage password policy on this local account. You'd then launch Enterprise Connect and sign in with your AD account. Once you did this, Enterprise Connect would get you a Kerberos TGT, check your AD password, etc. Enterprise Connect does nothing to make your local account a mobile account - it just lets you do some AD type things like Kerberos from a local account.


@hkabik That may be the price, but it doesn't answer why it's not included in the base OS. Obviously Apple has support for other standards widely used in enterprise already built-in to OS X so why not include this in the OS? From Microsoft, I expect them to break out feature sets by having different versions of Windows. But I don't expect that from Apple. I'm sure there's a good reason though.


I'm responding so I can be updated on the thread as more info comes in.


@rjlemmon Can I just say it's awesome to have Apple reaching out some more about this.



Peter Beninate also opened an #enterprise-connect channel on the macadmins.org Slack.



But I'm sad at only US & echo @bpavlov's comments that this should be in the OS.



I'm one of the maintainers of ADPassMon, which was written to overcome some issues that EC would address.


"Account management: Enterprise Connect notifies your users, via Notification Center, when their AD password is about to expire. They can change their AD password right within Enterprise Connect.
Network shares: Enterprise Connect can mount network shares, including your AD network home and any other SMB or AFP shares you'd like to mount."



I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login. Mapping drives automatically is pretty simple.



Unless it allowed for me to manage specific variables on the mac (group policy style), I don't see the value. 5k for this? Sounds like a money grab to me. This kind of stuff should be included in the base OS.


I supplied feedback at http://www.apple.com/feedback/macosx.html to have this included in the OS. If I should be supplying the feedback somewhere else, please let me know. Thanks @rjlemmon for reaching out to the community like this.


@tnielsen



I'm afraid these features aren't too valuable. Current AD integration allows for password expiration message upon login.


Yes, because Mac users log out and log in all the time, don't they.
Sorry, but while I agree maybe this shouldn't cost $5k, being able to be notified of pending password expiration while logged in is not exactly useless, so I can't really agree with you there. Also, it shows you your account information within a menu item, so its pretty handy for users to be able to access this.
Lastly, I got the impression professional services is open to adding new features to the product as they go. Its kind of new.


Yeah, I'm really going to have to see this thing to get my head around what the $5K value is. I'm not seeing anything I don't already get from ADpassmon, Kerbminder and some very simple scripting.



I'm not writing it off at all, I'm just not quite getting it yet.



One way or the other I think it's great that Apple is actively communicating with us on something that has been a bit of a mystery to a lot of us. Thanks! Can't wait to hear more about it.


@hkabik Those of us whom write those tools you mentioned (& glad you use them 🙂 ) would be happy to see this as an OS feature... we'd probably still tinker.. but the need would be lessened.


@bentoms



We'd hate for you to get bored. ;)



Plus I like your price tag better than their's so far. :P



In all seriousness your fork of Adpassmon was world changing for password management here... so while I'm all gung ho for an Apple product to retire the need for your extra curricular work, WOW am I appreciative for the work you've done.


All, thanks for all of the questions and feedback. I'm responding as quickly as I can, so please be patient :)



@tnielsen - It is true that current AD integration allows you to change your password at login. However, this depends on two things. First, your user must actually log out and log in to be prompted. Many users don't do this on a regular basis. Logouts consist of closing the lid and logins consist of entering a screensaver password. Also, the user must have a network connection at the login window for this to work. Unless you are using Ethernet or system level wi-fi authentication, many users won't have this in place.



Regarding network shares, there's a variety of ways you can mount network shares (login items, scripts, etc). Enterprise Connect is different in that when these shares get disconnected, like when you leave your corporate network, Enterprise Connect automatically remounts them when your network comes back online.



I should also add that Enterprise Connect is delivered as part of a Professional Services engagement. The price is $5500 and includes 2 days onsite with one of our engineers. Travel and expenses are included as well. During this engagement, we test Enterprise Connect on your network and make sure it is working properly. Some customers have unusual AD configs, etc that we need to adjust for. We also give you a "deep dive" on the tool itself, help you decide how to deploy it, etc. With any remaining time, we can help you work on any other issues or questions you have about your Mac deployment (as time permits).


@hkabik Thanks! The recent merging was largely the work of Peter Bukowinski & @ftiff has made massive changes to KerbMinder to improve things even further.



Stuff like this, might get re-jigged to be apart of the suite at sometime too...



Well that was one plan.. the other is to get EC into the OS then we can work on $theNextThing


The professional services angle clears it up for me. Perhaps lots of feature requests would get the attention and interest of Apple management.



And just to repeat the link... http://www.apple.com/feedback/macosx.html


@rjlemmon Thanks for the look into this product.



It would be nice if the product could be made available "as-is, with no support or guarantee of usability or functionality" for those who want to forge ahead on their own without the professional services engagement. I do get why that might not be likely, though.



Of course, having the software integrated into the OS would work as well. :)


Thanks @rjlemmon, it's great to see Apple opening up their communication with its community !



I first heard about Enterprise Connect two weeks ago and almost thought it was a scam :-)



I'd love to see it in action. As I'm in Europe, I extended a bit pmbuko's KerbMinder to make it work without being bound to AD. I hope we will integrate things a bit further and involve the community to make something better, @bentoms has a good idea here.



I cross my finger to have EC released someday either in open source or in the OS.


HI @rjlemmon ,
Remember your name from a few years back, at a company where we used some Apple Pro Services---
Nice to see you're still at Apple.



Does free users from needing computer objects being created in AD?



So far, it seems like the solution is best deployed in a DEP environment, but is there something that makes it worth using in an environment where we are used to binding? (I know Apple is pushing DEP big, but not every solution is necessarily benefited by it).



I also echo what others have said about it being open source and/or part of the base OS. I dislike the lack of information about it out there, but appreciate that you are reaching out.


@kstrick - Wow, that was quite awhile ago, good to hear from you!



If you use Enterprise Connect on an unbound system, there is no need to create a computer object in AD. There's also no process you need to go through to bind it to a domain. You just feed it a domain name, AD username and password and you're good to go.



If you use it while bound and logged in with an AD account, it ensures you always have a Kerberos ticket when you're on the corporate network (wi-fi and VPN included), you get notifications when your password is going to expire, you can use Enterprise Connect to change your AD password, and it eases the management of network share points.


@rjlemmon Hi. I sat in on a demo of Enterprise Connect about a month back, and one of the things I recall about it seems important to mention on this thread. In relation to what you posted with:



You just feed it a domain name, AD username and password and you're good to go.


If I recall now, most of the same holds true for when using it on an AD bound Mac and logged into a cached AD mobile account, meaning, you still must feed it a username and password to configure the application (or is it only the password now, I can't recall) But essentially, it will not read the AD account's information and automatically just work. The client still must enter their credentials at least once to configure it for use with their account. Correct?



I do seem to remember that it has the ability to accept Configuration Profiles for setting up some of the items though. Maybe that's something you can elaborate on a little when you can, since I'd imagine many folks here would be interested in hearing about the configurability of the application. We're all about automation here after all.


Reply