Binding macOS device to Active Directory using Intune
Intro
Catchy title, isnāt it? But be sure that it is possible to bind any macOS device to your local (for now) Active Directory using payload profile uploaded to ā”Intuneā”. Those of you who connected Intune to Jamf might not find this post useful. But if you want to some costless solution you may proceed with reading š
macServer
At the moment when some Mac devices started to appear at my company we decided to implement MDM solution. Back then Iāve tested Intune but it did not pass all of the requirementsā¦macServer did provide all of the necessary features and it costs only $19.99!
Once you buy it just install it on management device, configure some stuff and you are ready enroll your devices. Customizing management profiles is piece of cake š°. Variety of options is astonishing!
and many more!
So we did binding to AD using macServer. What is required:
- Service account in AD which has rights to create, rename computer objects in specified OU
- Organizational Unit which will store computer objects
- Connectivity to domain controller from Mac device
This is how it looks:
and for administrative rights on device configure this tab:
all set!
But this is not what you came for, right?
Payload profile
Time came to look into Intune capabilities once again. At first glance I was disappointed but then I had an idea š”! What are those custom profiles? I need to upload some fileā¦ Maybe something like this:
Bingo š„³
So it looks like I can do everything what macServer allows just by downloading present configuration applied to end device š¤Æ.
Letās put it to the test and create custom profile which will bind device to Active Directory!
This how this xml looks inside. Iāve made changes so that if you want to use it in you organization just copy it and fill the āgapsāin keys:
- ADDomainAdminGroupList
- ADOrganizationalUnit
- ADPreferredDCServer
- Password
- PayloadDisplayName
- PayloadIdentifier
- UserName
- HostName
- PayloadOrganization
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ADAllowMultiDomainAuth</key>
<true/>
<key>ADAllowMultiDomainAuthFlag</key>
<true/>
<key>ADCreateMobileAccountAtLogin</key>
<true/>
<key>ADCreateMobileAccountAtLoginFlag</key>
<true/>
<key>ADDefaultUserShell</key>
<string>/bin/bash</string>
<key>ADDefaultUserShellFlag</key>
<true/>
<key>ADDomainAdminGroupList</key>
<array>
<string>yourdomain.com\RemoteAccess-macOS</string>
<string>yourdomain.com\{`{serialnumber}}-Admins</string>
</array>
<key>ADDomainAdminGroupListFlag</key>
<true/>
<key>ADForceHomeLocal</key>
<true/>
<key>ADForceHomeLocalFlag</key>
<true/>
<key>ADMapGGIDAttributeFlag</key>
<false/>
<key>ADMapGIDAttributeFlag</key>
<false/>
<key>ADMapUIDAttributeFlag</key>
<false/>
<key>ADMountStyle</key>
<string>smb</string>
<key>ADNamespace</key>
<string>domain</string>
<key>ADNamespaceFlag</key>
<true/>
<key>ADOrganizationalUnit</key>
<string>OU=Workstations,OU=Computers,DC=yourdomain,DC=com</string>
<key>ADPacketEncrypt</key>
<string>allow</string>
<key>ADPacketEncryptFlag</key>
<true/>
<key>ADPacketSign</key>
<string>allow</string>
<key>ADPacketSignFlag</key>
<true/>
<key>ADPreferredDCServer</key>
<string>yourdomain.com</string>
<key>ADPreferredDCServerFlag</key>
<true/>
<key>ADRestrictDDNSFlag</key>
<false/>
<key>ADTrustChangePassIntervalDays</key>
<integer>14</integer>
<key>ADTrustChangePassIntervalDaysFlag</key>
<true/>
<key>ADUseWindowsUNCPath</key>
<true/>
<key>ADUseWindowsUNCPathFlag</key>
<true/>
<key>ADWarnUserBeforeCreatingMA</key>
<false/>
<key>ADWarnUserBeforeCreatingMAFlag</key>
<true/>
<key>ClientID</key>
<string>%ComputerName%</string>
<key>HostName</key>
<string>yourdomain.com</string>
<key>Password</key>
<string>PASSWORD</string>
<key>PayloadDisplayName</key>
<string>Directory (yourdomain.com)</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.yourdomain.com</string>
<key>PayloadType</key>
<string>com.apple.DirectoryService.managed</string>
<key>PayloadUUID</key>
<string>81d771a0-c8e2-0137-bbba-68fef702cbe7</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserName</key>
<string>USERNAME</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Settings for %ComputerName%</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.yourdomain.com.6b79c2a0-c8e2-0137-bbb9-68fef702cbe7</string>
<key>PayloadOrganization</key>
<string>yourdomain.com</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>6b79c2a0-c8e2-0137-bbb9-68fef702cbe7</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
And as a result I got:
Summary
$19.99 was very well spent money! Thanks to that I can prepare desired configuration on macServer, export it to xml file, upload it to Intune. At this moment Iāve not tested all of the options and how will they apply but I hope high hopes in this method.
Intune allows you to build dynamic strings in configurations - Configuration Tokens.
Iāve used one in device domain group for administrator privileges
yourdomain.com{`{serialnumber}}-Admins
See you in next! š š§