Directory service configuration (macOS device policy)
With the Directory service configuration you specify an Active Directory domain that a Mac joins when the policy is assigned to it.
Note
If the Active Directory domain you configure here is the same domain you use for the Sophos Central Self Service Portal, the macOS user policy assigned to the Mac is applied to all Active Directory users that log in to the Mac.
General settings
| Setting | Description |
|---|---|
| Domain host name | The DNS host name of the Active Directory domain to join. |
| AD administrator name | The credentials of the user account used for connecting to the Active Directory server. This user must have permissions to add devices to the Active Directory database. |
| Password | |
| Organizational unit | The organizational unit (OU) within the Active Directory database where the joining computer is added. |
User experience
| Setting | Description |
|---|---|
| Create mobile account | macOS creates a mobile account when a network user logs in for the first time. With a mobile account, users can log in to the Mac with their Active Directory credentials even when the Mac is not connected to the Active Directory server. |
| Require confirmation before creating a mobile account | The user decides whether to create a mobile account or not. |
| Force local home folder | Select this check box to force the creation of user profiles on the startup disk. This is required for mobile accounts. If you clear the check box, pure network home directories are used. |
| Use UNC path from Active Directory | macOS mounts the home folder specified in the Active Directory user account. |
| Network protocol | The protocol for mounting the home folder. |
| Default user shell | The command-line shell for the user. If you leave this field empty, |
Mapping
Warning
If you change these mapping settings later, users might lose access to previously created files.
| Setting | Description |
|---|---|
| UID attribute | The Active Directory attribute that is mapped to the unique user ID (UID) in macOS. |
| User GID attribute | The Active Directory attribute that is mapped to the primary group ID in macOS user accounts. |
| Group GID attribute | The Active Directory attribute that is mapped to the group ID in macOS group accounts. |
Administrative
| Setting | Description |
|---|---|
| Preferred DC server | The Active Directory domain controller (DC) that is consulted first. If you leave this field empty, macOS selects the domain controller by site information and controller responsiveness. |
| Password trust interval in days | Specify how often macOS changes the password of its Active Directory computer account. If you leave this field empty, macOS changes its password every 14 days. If you set a value of |
| Namespace |
|
| Packet signing | macOS can sign and encrypt the LDAP connections used for Active Directory communication.
|
| Packet encryption | |
| Multi-domain authentication | Users from all domains in the Active Directory forest can log in. |
| Domain administrator groups | A list of Active Directory groups. Members of these groups are granted administrative privileges on the Mac. To add a group, enter the Active Directory domain name, a backslash, and the group account name. For example Entries are case-sensitive. |
| Restrict DDNS | A list of network interfaces. By default, macOS uses Dynamic DNS (DDNS) for all network interfaces. To restrict DDNS to certain interfaces, enter their BSD names. For example to restrict DDNS to the built-in Ethernet port, enter To enter more than one interface, press Enter after each entry. |