Uncategorized

Extending active directory for mac os x clients

admin

I guess that the overall conclusion of this should be that AD schema extensions in general and specifically Mac OS X managed clients in AD environments are a nasty hack. To create a Tiger-style computer list, you can go to All Record Types tab the circle to the right of the computer groups icon , select ComputerLists from the dropdown and click New Record. To manage guest computers i. Is your solution still valid? It seems a lot of configuration! Regards, Evan. But if you already have such a solution set up, you might as well just keep it. Did you try to find out why But as you already have one set up, I assume you also require managed preferences MCX.

Gives you a You should report this error to the administrator of your server. Tony, you are right: Also the view in Workgroup manager does not show the current value applies for Lion as well as Lion Server. Did someone already figure out if we need to reapply the schema modifiaction again for Lion to fully support Lion Server features as well as Lion client mcx settings…? Have you been trying to use Lion client in an AD environment? It looks like things are really broken, especially with mobile accounts. Hopefully Domain Migration: Short answer: Long answer: Has anyone been able to get Lion to work using this or similar method, or should I go ahead and get a Lion Server?

I manage several thousand Macs mostly airs in an educational environment. Interestingly, if you fire off WGM on a If you do the same on It would seem that, on binding to AD, the local machine becomes Guest. Any suggestions on angles of attack would be sincerely welcomed. Thanks for the update, Berry. Adding the AD schema was a little nerve wracking and Microsoft purists will warn you not to do it , but it does work eventually. Setting up all the mounts in an OU wasn't that difficult, but the structure is slightly different than Open Directory's so you might want to enter them by hand importing an LDIF is nice, but AD is very picky about syntax.

Things broke at the Mac OS client. Our solution was to return the Macs to local automount map files.


  • 22 essential Mac tools for IT admins | InfoWorld;
  • 22 essential Mac tools for IT admins.
  • Apple Footer!
  • catching fire movie download for mac.
  • no good games for mac;
  • firma con logo mail mac.

It's annoying, but they work. You can probably cobble together a script that would update them from a central server. We've opted to move the Macs away from NFS going forward and eventually those files will become a thing of the past. In the current setup with LDAP, OS X retrieves the mounts a and handles them with autofs, and we expe ct there must be a way of providing this through AD in a similar fashion. All of these tutorials seem somewhat outdated as they were written at times when extending the AD schema was apparently necessary even for OS X clients to bind with AD I have not found any newer information on whether this approach is st ill supported in today's OS X currently we run OS X Sierra on our workstations.

A networking community dedicated to improving infrastructure, workflows, and support across the Entertainment Industry. Follow StudioSysAdmins on: Not to mention we don't have any Mac specialists in current staff, so asking one for help just for supervising the short "extending the schema" phase made sense, after that we fall back to current staff for basic maintenance.

This new revision is about OS X If it's still supported, where can we find an updated paper about it? Since this is a technical white paper, I expect it to grow with more and more technical information, so seeing it halved with all that great information gone made me a bit nervous. Posted on Feb 8, 8: Feb 8, 9: General rule of thumb is do not extend schema. You are asking for trouble and Microsoft will likely stop talking to you.

The next challenge is that you are enforcing GPO. Have you defined which settings you want to enforce on OS X? If these settings are desktop background and other cosmetic features, then simply create a master image and make all these settings. If security specific, you can also bake most of that into an image. It gets you authentication, authorization, single sign on, and password policy. That is what most organizations want. Also, please note that the old magic triangle of injecting a Mac server between the clients and the windows server is being depreciated by Apple.

MCX is effectively depreciated in Mountain so many of the tools and concepts related to extended schema and third party tools like Centrify no longer apply.

Extending Active Directory for Mac OS X clients

Apple is moving to Profile Manager and this requires a lighter weight depending on the angle you look deployment model. Before you do anything, just start by binding a Mac to your active directory. Use the Apple built in client. Use the machine. Find out what is working and what is not.

Helpful answers

You will be amazed at how many flaws in your Windows environment will be exposed by adding Macs to it. Feb 8, 4: Glad to help. Apple is on a march toward the eschewing of directory services OD and AD , as seen by the success of the the iPad which essentially doesn't even have a user account.

This is the "power" or lack there of of profiles. Profiles are mostly device configuration, not user config. Granted, there is the ability to push e-mail settings but without a regex feature like that in mobile iron, this is incredible time consuming and tedious. It is true that schema modifications are irreversible and must be taken seriously, but if done carefully with the proper backups, usually it's OK. I mean Exchange, SharePoint and several other Microsoft tools do extend the schema at initial installation and even when migrating from a version to another.

Also note that all the other products mentioned are made by Microsoft and the expectation is that products from a like minded company should work together. In all that time I have not yet once found an valid reason for modifying schema, even when Apple was hot on the topic. Also, in that time, I've seen seen more companies invest in Centrify only to let it stagnant as the Windows admins struggle to figure out what to manage on a Mac.


  • download itunes 10.5 8 mac?
  • Active Directory Schema Extension with OS… - Apple Community.
  • Best Practices for Integrating Macs with Active Directory.

Granted, in the old days, this is when Macs were mostly small departments dedicated to content creation. Recently, this trend is shifting to mass deployments of Macs as general use systems. As this continues, we are seeing a renewed interest in "managing" the Macs. But even after a Microsoft briefing, I get the feeling that this is going to be another Altiris "we support Macs" moment which basically translates into "if you can actually find the software and make it work, we will inventory the device for you.

Again, I can only make a judgement based on an early briefing. It is possible with the depreciation of MCX, SCCM will be able to implement profile manager after all, this is a publicly available structure from Apple. If this is the case, then it may be possible to use profiles to manage some of your settings. But once again, the new feature from Apple profiles are nowhere near as expansive as MCX was. And sadly, MCX is dead.

Best Practices for Integrating Macs with Active Directory - JumpCloud

We can only hope that Apple will expand profile manager's options. But if we are to believe the trend of blending the OS will trend with more input from iOS and less from OS X, then profile manager will never become as rich as MCX because there will be no perceived need. Apple plays well into this space due to limited product options. Then they look at Apple and see the same product with different screen sizes and have a sigh of relief.

Well our organization like to enforce everything from automatic screensaver after a certain amount of time, password to unlock screensaver, disable hardware like USB ports or DVD drives, automatic lauching of applications at startup, background image, default webpage, default desktop theme, tweak application security in several applications, mounting default network shares at startup, blocking the opening of certain software, we have hundreds of them. We do not use computer imaging software, everything is in SCCM and most settings are GPO based, so that no matter what, even an administrator messing with the computer, most settings will be reset at next startup or after a certain delay.

Configuring Mac OS X to Log In Using Active Directory

So this next section, I will ask this question: Do you have a mobile device management solution in place? If so, you might want to look at the vendors ability to support OS X. AirWatch is already doing it. Mobile Iron either is or is about to. This may allow you to avoid deploying a "mostly idle" server just for policy enforcement. Plus, if you are cloud hosting this and you are using mostly Apple laptops, then enforcement continues outside the LAN. There are a lot of things to consider.