Category filter

How to bind macOS devices to Active Directory

To set AD as the identity provider, an IT administrator have to usually bind each Mac machine with the Active Directory manually. With Hexnode’s AD Asset Binding policy, administrators can remotely bind the macOS devices with the AD domain. This allows users to log in to their devices with their AD credentials.

With AD Asset Binding policy, you can bind AD, Apple Open Directory, and OpenLDAP with your Mac.

Configure Mac AD Asset Binding in Hexnode

To configure AD asset binding in macOS devices,

  1. On your Hexnode portal, go to Policies.
  2. Click on New Policy to create a new policy or select an existing policy. If you are creating a new policy, provide a suitable policy name and description.
  3. Go to macOS > Network > AD Asset Binding and click Configure.

You will have the following options to be configured.

Basic Settings
Basic Settings Description
Active Directory Domain Specify the IP address or the Fully Qualified Domain Name (FQDN) of the server. The Mac device will get bound to this domain. Hexnode supports the use of the wildcard %domain% to fetch the AD FQDN.
Username Enter the username of the administrator account used to authenticate and bind the device to the AD domain. Hexnode supports the use of wildcards %username%, %email% and %name%.
Password Enter the password of the AD administrator account.
Organizational Unit Enter the distinguished name of the organizational unit to which the joining computer is to be added. Distinguished name will be in the format CN=CommonName, OU=OrganizationalUnit, DC=DomainComponent. For example: CN=User, OU=Sales, DC=acme, DC=corp
Note:


To obtain the OU path of the Active Directory, enter the following command in the terminal server:
dsquery user -name *

Advanced Settings
Advanced Settings Description
Create mobile account at login Check this option to enable users to login to their Mac device with their AD credentials even if they are not connected to the organization’s AD server. If checked, user’s data will be stored locally and will get automatically logged into the mobile account.
Require confirmation before creating a mobile account Check this option to send a confirmation message to the end user on creating a mobile account, when a user logs in to the Mac machine using the AD user account or as a network user.
Force local home directory creation on the startup disk If enabled, forces the local home directory to be created on the startup disk of the user. This helps users access the network user account remotely.
Notes:
  • Disable this option while using network home directories that have no local directory.
  • This option remains checked and cannot be changed if Create mobile account at login is enabled. But local home directory creation can be forced on the startup disk without creating mobile account at login.
  • This option is enabled by default.

Use UNC Path specified in the Active Directory to derive the network home location Check this to use the AD standard attribute for the home directory location. If unchecked, uses the macOS attribute for the home folder location.
Use the Network Home Protocol Choose either afp or smb protocol for accessing the home folder. This can only be configured if “Use UNC Path specified in the Active Directory to derive the network home location” is checked.
By default, afp is selected.
Any domain in the forest can authenticate If checked, macOS automatically searches all domains for user authentication. If you uncheck this option, only the domains to which the device is bound to will be allowed to authenticate.
Default user shell after device log in Enter the default shell for the user after logging in to the Mac machine. By default, “/bin/bash” is used.
Map UID to attribute To map an AD attribute to the unique user ID, check this option and enter the name of the AD attribute.
Map user GID to attribute To map an AD attribute to the user group ID in user account, check this option and enter the name of the AD attribute.
Map group GID to attribute To map an AD attribute to the GID in group account, check this option and enter the name of the AD attribute.
Prefer this Domain Server Enable to specify the name of the preferred domain server for authentication.

By default, Mac identifies the authentication domain server based on site information and domain controller responsiveness. If a domain controller specified here is unavailable, Mac returns to its default behaviour.

Allow administration by Check this option and add groups to the list. All members of the specified group will have administrative privileges on their Mac. You should specify the display name of the required security groups.

If Allow Administration by is enabled, all the domain and enterprise admins are granted administrative privileges by default.

Namespace Enable to set the primary account naming convention as either Domain or Forest.

By setting namespace as Forest, if multiple domains in the same forest contains several users with the same user name, then those users can login with the name of the domain followed by the login name (domain\login name). In a normal case, user can login using username\password. If Domain is selected users have to enter their domain name to login.

Packet Signing Checking this option allows to choose how to ensure data security. The available drop-down values are Allow, Require and Disable. If Require is selected the LDAP connection required to communicate with the AD must be signed by the Open Directory client.
Packet Encryption Enable to choose how to encrypt the data. The available drop-down values are Allow, Require, Disable and SSL. If Require is selected the LDAP connection must be encrypted by the Open Directory client.
Restrict DDNS Enable to specify which interface to use when updating the Dynamic Domain Name System. Specify the BSD name of the interface.

Run the command “networksetup -listallhardwareports” in the terminal, BSD name is same as the returned Device field value. For example: en0, en1, etc.

Password trust interval Enable to specify how often the computer trust password is to be changed.

Note:


When a Mac is bound to AD, a trust account password is created and gets stored in the system keychain. This password is automatically changed by the Mac based on the specified trust interval.
Set the value to zero to never change this password.


Note:


The AD Asset Binding policy is used to bind the Mac device to the AD. The mapping attributes (UID, user GID and group GID) are configured in the policy for user account creation at the device end. If the mapping attribute values are not specified, the user accounts will not be created at the device end.

Warning:

  • If you are deploying an AD Asset Binding policy with wrong configurations to a macOS device that is already bound to AD, it will unbind from the associated AD domain.
  • If you change the mapping attributes value after associating the policy with the macOS device, users might lose access to the previously created files.
  • If the device fails to join the configured AD network, the rest of the features configured in the policy other than Firewall, Media Management, and Passcode will not be reflected at the device end.

Associate Policies with macOS devices

If the policy has not been saved,

  1. Navigate to Policy Targets.
  2. Click on Devices/ Device Groups/ Users/ User Groups/ Domains.
  3. Choose the targets and click OK and then Save.

If you have the policy saved already,

  1. Go to Policies tab and choose the desired policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Choose the target entities and click Associate.

You can choose devices, users, groups, and domains as the policy targets.

What happens at the device end?

Once the policy is associated with the device, the Disk Utility app establishes trusted binding between the macOS device and the organization’s Active Directory server.


Active directory asset binding on macOS devices with Hexnode – Disk Utility app
  • Managing Mac Devices