Directory service configuration (macOS device policy)
With the Directory service configuration you specify an Active Directory domain that a Mac joins when the policy is assigned to it.
If the Active Directory domain you configure here is the same domain you use for the Sophos Central Self Service Portal, the macOS user policy assigned to the Mac is applied to all Active Directory users that log in to the Mac.
|Domain host name
|The DNS host name of the Active Directory domain to join.
|AD administrator name
The credentials of the user account used for connecting to the Active Directory server.
This user must have permissions to add devices to the Active Directory database.
|The organizational unit (OU) within the Active Directory database where the joining computer is added.
|Create mobile account
macOS creates a mobile account when a network user logs in for the first time.
With a mobile account, users can log in to the Mac with their Active Directory credentials even when the Mac is not connected to the Active Directory server.
|Require confirmation before creating a mobile account
|The user decides whether to create a mobile account or not.
|Force local home folder
Select this check box to force the creation of user profiles on the startup disk. This is required for mobile accounts.
If you clear the check box, pure network home directories are used.
|Use UNC path from Active Directory
|macOS mounts the home folder specified in the Active Directory user account.
|The protocol for mounting the home folder.
|Default user shell
The command-line shell for the user.
If you leave this field empty,
If you change these mapping settings later, users might lose access to previously created files.
|The Active Directory attribute that is mapped to the unique user ID (UID) in macOS.
|User GID attribute
|The Active Directory attribute that is mapped to the primary group ID in macOS user accounts.
|Group GID attribute
|The Active Directory attribute that is mapped to the group ID in macOS group accounts.
|Preferred DC server
The Active Directory domain controller (DC) that is consulted first.
If you leave this field empty, macOS selects the domain controller by site information and controller responsiveness.
|Password trust interval in days
Specify how often macOS changes the password of its Active Directory computer account.
If you leave this field empty, macOS changes its password every 14 days.
If you set a value of
macOS can sign and encrypt the LDAP connections used for Active Directory communication.
|Users from all domains in the Active Directory forest can log in.
|Domain administrator groups
A list of Active Directory groups.
Members of these groups are granted administrative privileges on the Mac.
To add a group, enter the Active Directory domain name, a backslash, and the group account name. For example
Entries are case-sensitive.
A list of network interfaces.
By default, macOS uses Dynamic DNS (DDNS) for all network interfaces. To restrict DDNS to certain interfaces, enter their BSD names.
For example to restrict DDNS to the built-in Ethernet port, enter
To enter more than one interface, press Enter after each entry.